Certificate lookup section
This article describes how to define a set of lookups in the configuration file for Nexus OCSP Responder.
If a requested certificate can not be found in the certificate cache, you can define a set of lookups. Each lookup will, in the order defined by the lookup sequence number, query a remote LDAP directory, until a match is found.
You must also define an LDAP search filter, using the syntax described in RFC 2254 The String Representation of LDAP Search Filters.
The lookup can be performed in two different ways, depending on how the reference was made in the original data (signed message, certificate, ...).
A certificate may be referred to:
by its subject DN (certificate issuer name)
OR
by issuer DN and certificate serial number (PKCS#7 signer info, OCSP)
A lookup will query for the attributes "userCertificate" and "cACertificate".
The lookup configuration is optional.
Example scenario
Directory structure
This is an example of an X.500/LDAP directory structure (EE = End Entity) where certificates are stored:
c=SE
o=Acme, Inc.
cn=Root CA
<EE certs issued by Root CA>
...
cn=Subordinate CA
<EE certs issued by Subordinate CA>
...
cn=Another Subordinate CA
<EE certs issued by Another Subordinate CA>
...
...
In the example scenario:
The EE (End Entity) LDAP objects have, at least, the following attributes defined:
cn
serialNumber
userCertificate
The CA LDAP objects have, at least, the following attributes defined:
cn
cACertificate
Specify the search
A search is specified relative to a base DN.
The base DN regulates the width of the search (for example, search all of c=SE, or search only among the objects below the Root CA).
To define the depth of the search (just one level down, or the whole subtree) use the LDAP scope, which you define as part of the LDAP URL (see RFC 2255 The LDAP URL Format).
For subject-related certificate queries (that is, CA certificates), use either the full DN or the commonName (cn) portion of the DN in your filter. For example, this filter will return certificates issued by any of the CAs that have a subject DN matching that of the request:
subjectsearch.searchbase = o=Acme, Inc.,c=SE
subjectsearch.filter = (cn={cn})
Filtering
Initial filtering is done by the server as the filter requires a match on the CN component/attribute. In addition, the lookup will verify that the whole subject DN matches.
If instead you want to limit the search to CA certificates only, change the filter like this (where "
pkiCA
" is the assumed LDAP object class for CA objects):CODEsubjectsearch.searchbase = {dn} subjectsearch.filter = (objectClass=pkiCA)
For issuer-related certificate queries (that is, CA certificates), use this query ("
cn
" is the Common Name of the Issuer in this case):CODEissuerserialsearch.searchbase = cn={cn}, o=Acme, Inc.,c=SE issuerserialsearch.filter = (serialNumber={serialNumber})
Alternatively, use the complete issuer DN:
CODEissuerserialsearch.searchbase = {issuerName} issuerserialsearch.filter = (serialNumber={serialNumber})
Specify LDAP directory
For each LDAP directory, specify as follows:
ocsp.certs.lookup.<#>.type=ldap
ocsp.certs.lookup.<#>.ldapurl=<URL>
See this table for description of constants and values:
Constants and Values | Description |
---|---|
| Replace |
| Enter |
| Replace |
Subject, Issuer and Certificate Serial Number search
Specify as follows to do a search based on
subject,
issuer and
certificate serial number:
ocsp.certs.lookup.<#>.subjectsearch.searchbase=<baseDN>
ocsp.certs.lookup.<#>.subjectsearch.filter=<LDAP search filters>
ocsp.certs.lookup.<#>.issuerserialsearch.searchbase=<baseDN>
ocsp.certs.lookup.<#>.issuerserialsearch.filter=<LDAP search filters>
See this table for description of constants and values:
Constants and Values | Description |
---|---|
| Replace |
| Replace <baseDN> with the identifier that is used in this directory to establish the searchbase. |
| Replace <LDAP search filters> with a regular expression defining the filter to be used. See "LDAP Search Filters" below. |
LDAP Search Filters
The LDAP search filters are expressed as a regular expression of the type:
(<attribute name>={<attributevalue>})
The available filters are:
| Enter |
{commonName} | {cn} | {dn}
return the common name or distinguished name of the subject in Subject searches, and the common name or distinguished name of the issuer in Issuer or Serial number searches.
LDAP search filters can also be used in the .searchbase
parameter as shown in the example scenario.