Certificate lookup section

This article describes how to define a set of lookups in the configuration file for Nexus OCSP Responder.

If a requested certificate can not be found in the certificate cache, you can define a set of lookups. Each lookup will, in the order defined by the lookup sequence number, query a remote LDAP directory, until a match is found.

You must also define an LDAP search filter, using the syntax described in RFC 2254 The String Representation of LDAP Search Filters.

The lookup can be performed in two different ways, depending on how the reference was made in the original data (signed message, certificate, ...).

A certificate may be referred to:

by its subject DN (certificate issuer name)

OR

by issuer DN and certificate serial number (PKCS#7 signer info, OCSP)

A lookup will query for the attributes "userCertificate" and "cACertificate".

The lookup configuration is optional.

Example scenario

Directory structure

This is an example of an X.500/LDAP directory structure (EE = End Entity) where certificates are stored:

CODE

c=SE
	o=Acme, Inc.
		cn=Root CA
			<EE certs issued by Root CA>
			...
		cn=Subordinate CA
			<EE certs issued by Subordinate CA>
			...
		cn=Another Subordinate CA
			<EE certs issued by Another Subordinate CA>
			...
			...

In the example scenario:

The EE (End Entity) LDAP objects have, at least, the following attributes defined:
- cn
- serialNumber
- userCertificate
The CA LDAP objects have, at least, the following attributes defined:
- cn
- cACertificate

Specify the search

A search is specified relative to a base DN.

The base DN regulates the width of the search (for example, search all of c=SE, or search only among the objects below the Root CA).
To define the depth of the search (just one level down, or the whole subtree) use the LDAP scope, which you define as part of the LDAP URL (see RFC 2255 The LDAP URL Format).
For subject-related certificate queries (that is, CA certificates), use either the full DN or the commonName (cn) portion of the DN in your filter. For example, this filter will return certificates issued by any of the CAs that have a subject DN matching that of the request:

Example: Subject-related certificate query

CODE

subjectsearch.searchbase = o=Acme, Inc.,c=SE
subjectsearch.filter = (cn={cn})

Filtering

Initial filtering is done by the server as the filter requires a match on the CN component/attribute. In addition, the lookup will verify that the whole subject DN matches.
If instead you want to limit the search to CA certificates only, change the filter like this (where "pkiCA" is the assumed LDAP object class for CA objects):
CA certificates query

CODE
```
subjectsearch.searchbase = {dn}
subjectsearch.filter = (objectClass=pkiCA)
```

For issuer-related certificate queries (that is, CA certificates), use this query ("cn" is the Common Name of the Issuer in this case):

Issuer-related certificate query

CODE

issuerserialsearch.searchbase = cn={cn}, o=Acme, Inc.,c=SE
issuerserialsearch.filter = (serialNumber={serialNumber})

Alternatively, use the complete issuer DN:

CODE

issuerserialsearch.searchbase = {issuerName} 
issuerserialsearch.filter = (serialNumber={serialNumber})

Specify LDAP directory

For each LDAP directory, specify as follows:

Specify LDAP directory

CODE

ocsp.certs.lookup.<#>.type=ldap
ocsp.certs.lookup.<#>.ldapurl=<URL>

See this table for description of constants and values:

Constants and Values	Description
`<#>`	Replace `<#>` with the lookup sequence number.
`ldap`	Enter `ldap` to indicate that the LDAP protocol shall be used.
`<URL>`	Replace `<URL>` with the URL of the directory.

Subject, Issuer and Certificate Serial Number search

Specify as follows to do a search based on

subject,
issuer and
certificate serial number:

CODE

ocsp.certs.lookup.<#>.subjectsearch.searchbase=<baseDN>
ocsp.certs.lookup.<#>.subjectsearch.filter=<LDAP search filters>
ocsp.certs.lookup.<#>.issuerserialsearch.searchbase=<baseDN>
ocsp.certs.lookup.<#>.issuerserialsearch.filter=<LDAP search filters>

See this table for description of constants and values:

Constants and Values	Description
`<#>`	Replace `<#>` with the lookup sequence number.
`<BaseDN>`	Replace <baseDN> with the identifier that is used in this directory to establish the searchbase.
`<LDAP search filter>`	Replace <LDAP search filters> with a regular expression defining the filter to be used. See "LDAP Search Filters" below.

LDAP Search Filters

The LDAP search filters are expressed as a regular expression of the type:

CODE

(<attribute name>={<attributevalue>})

The available filters are:

{commonName} | {cn} | {dn} |{issuerName} | {serialNumber}

Enter {commonName} or {cn} to substitute the common name component of the distinguished name in the certificate.
Enter {dn} to substitute the complete distinguished name in the certificate.
Enter {issuerName} to substitute the issuer name in the certificate.
Enter {serialNumber} to substitute the serial number in the certificate.

{commonName} | {cn} | {dn} return the common name or distinguished name of the subject in Subject searches, and the common name or distinguished name of the issuer in Issuer or Serial number searches.

LDAP search filters can also be used in the .searchbase parameter as shown in the example scenario.

Directory structure

Specify the search

Filtering

Specify LDAP directory

Related information