Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


This article describes how to configure key stores in the Nexus OCSP Responder configuration file. The respective OCSP responder must sign their responses using a key.

As the Nexus OCSP Responder is answering on behalf of the CA, compromise of the keys could have far going consequences, depending on the trust in the relationship between the CA and the Nexus OCSP Responder. Therefore you should take whatever measures necessary to protect the OCSP responder keys.

You can, for example, use Hardware Security Modules (see Set up hardware token.)

If the OCSP responder keys are compromised, there is an inherent problem in revoking them. A solution to this would be to have a very short life span for the OCSP responder certificates and have them reissued and reinstalled that often. When the keys are revoked, the CA cannot reissue the certificate any more.

Expand/Collapse All

Key location

Keys can be located in:

PKCS#12 file

Nexus OCSP Responder is able to use keys stored in PKCS #12 (.p12) files. This file is pointed to in ocsp.conf.

3rd party devices

Key pairs may also be located in 3rd party devices, such as hardware security modules (HSMs). This can be done if the HSM has a PKCS #11 library (.dll/so file) that allows certificate objects to be stored in the same token as the key pairs. See Initialize Hardware Security Module for use in Certificate Manager for more information. See also Introduction to PKCS#11.

Step-by-step instruction

To be able to find keys, you must always specify at least one key location (key store).

  1. In the Nexus OCSP Responder configuration file, specify as follows:

    key.store.store.<#>=<file>
    key.store.store.<#>.pin=<pin>
    key.store.store.<#>=<file>
    key.store.store.<#>.nopinpad=<false|true>
    key.store.store.<#>.tokenlabel=<label>

    For information on how to encrypt the pin, see Encrypt sensitive configuration parameters.

    See this table for description of constants and values:

    Constants and Values

    Description

    <#>

    Replace <#> with the sequence number.

    <file>

    Replace <file> with either an absolute path or a relative path from <configuration root> to either a PKCS #11 library or a PKCS #12 file.

    <pin>

    Optional. Used for decrypting the PKCS #12 file.

    <nopinpad>

    Optional. Will ignore reports from the PKCS#11 library that the HSM has a protected authentication path, that is, a pin pad reader or some other means of authenticating without passing the PIN through the PKCS#11 library. This setting should not be needed other than in special cases of certain HSM vendors with non-standard PKCS#11 implementations.
    <tokenlabel>Optional. Specifies the token label name of the PKCS#11 token where the signing certificate/key resides. If specified, the PKCS#11 keystore will only make sessions to the specified token. This parameter is optional but highly recommended.

Example:

key.store.store.1 = ocsp_signer.p12
key.store.store.1.pin = 1234
key.store.store.2 = lib/libcs_pkcs11_R2.so
key.store.store.2.nopinpad = false
key.store.store.2.tokenlabel = ocsp-token

Before performing an operation that requires a key, the Nexus OCSP Responder gets the applicable key from the configured key source. Nexus OCSP Responder can use any of the keys available in the configured key stores, as described above in section "Specify key location”. 

The following types of keys may be required by Nexus OCSP Responder:

For signing responses:

Specify one key per supported issuer per OCSP responder.

For signing requests:

Specify one key to be used by the back end client. If this setting is to be overridden by a forwarding OCSP responder, you have to add a corresponding key.

For TLS server authentication:

Specify one key per interface and port that will be used by an OCSP responder or a CRL / CIL provider with type=push, using the HTTPS protocol.

For SSL client authentication:

Specify one key to be used by the back end client. If this setting is to be overridden by a forwarding OCSP responder, you have to add a corresponding key.


  1. When a key is required, a PIN must also be provided. You can specify the PIN value for each key entity in the configuration file (parameter ...pin). For information on how to encrypt the PIN, see Encrypt sensitive configuration parameters.

  2. Specify as follows in the Nexus OCSP Responder configuration file:

    <prefix>.certificate=<certificate pattern> <prefix>.pin=<PIN>

    See this table for description of constants and values:

    Constants and Values

    Description

    <prefix>

    Configuration parameter prefix depending on which type of key is being configured. For example, an OCSP response signing key is configured with the responder.<#>.signer prefix, as shown in OCSP responder section.

    <certificate pattern>

    Replace <certificate pattern> with the certificate pattern to specify the key pair. For a description of the syntax, see Introduction to LDAP, heading "LDAP certificate patterns".

    <PIN>

    Replace <PIN> with the PIN for the key pair.

Examples

Example: OCSP response signing

Two OCSP responders are specified with the following URLs:

responder.1.url=http://ocsphost:90/basic
responder.2.url=http://ocsphost:90/cached

The key these responders will use for signing are specified as follows:

responder.1.signer.1.issuerdn=cn=myCA,c=SE
responder.1.signer.1.certificate=&(issuer=myCA*)(serialNumber=72)
responder.1.signer.1.pin=secretPIN1234
responder.2.signer.1.issuerdn=cn=CA3,c=SE
responder.2.signer.1.certificate=cn=User issued by CA3
responder.2.signer.1.pin=secretPIN1234

Example: Back end client

A back end client is specified with the following ...signature.key parameter:

ocsp.client.request.signature.key.certificate=&(cn=myCA*)(keyUsage=DigitalSignature)
ocsp.client.request.signature.key.pin=secretPIN1234

Example: TLS server authentication

Three OCSP-responders are specified with the following URLs:

responder.1.url=https://*:88/secure1
responder.2.url=https://*:88/secure2
responder.3.url=https://ocsphost:89/secure1

The keys these responders will use for TLS server authentication are specified as follows:

responder.1.ssl.certificate=&(cn=ocsphost)(Issuer=TLS Trust CA*)
responder.1.ssl.pin=secretPIN1234
responder.2.ssl.certificate=&(cn=ocsphost)(Issuer=TLS Trust CA*)
responder.2.ssl.pin=secretPIN1234
responder.3.ssl.certificate=cn=Nexus OCSP Responder*
responder.3.ssl.pin=secretPIN1234

Example: TLS client authentication

A back end client uses a TLS client certificate with the following parameter:

ocsp.client.authentication.key.certificate=(serialNumber=72)
ocsp.client.authentication.key.pin=secretPIN1234