Skip to main content
Skip table of contents

OCSP proxying

This article describes proxying used in Nexus OCSP Responder. Proxying is configured through responders. For more information, see OCSP responder section.

Example 1

In this example, two urlcheck parameters are configured in succession.

  • If the OCSP request contains a serviceLocator extension, that is, if the queried certificate contains an authorityInformationAccess extension, specifying an OCSP URL, this URL will be used in first hand. 
  • If no such URL exists, or if the response is not considered valid, Nexus OCSP Responder will check if the certificate is issued by the Acme TrustCenter CA using a hardcoded URL for revocation information.

In the OCSP configuration file, specify as follows:

CODE 
ocsp.client.urlcheck.1=servicelocator
ocsp.client.urlcheck.2=table
ocsp.client.urlcheck.2.table.1.issuermatch=*o=Acme*
ocsp.client.urlcheck.2.table.1.url=http://ocsp.acme.com/ca01
Example 2

In this example, a forwarding responder is configured, that will forward requests to another responder and return responses as lenient as possible by allowing all issuers and disabling verification of the response.

  • In the OCSP configuration file, specify as follows:

    CODE 
    responder.1.type=basic
responder.1.url=http://*:80
responder.1.workers=5
responder.1.signer.1.issuerdn=cn=Dummy CA,c=SE
responder.1.signer.1.certificate=cn=Dummy OCSP Signer,c=SE
responder.1.signer.1.pin=secretPIN1234
responder.1.forwarding.enabled=true
responder.1.forwarding.onlyforissuer.1=*
responder.1.forwarding.client.urlcheck.1=table
responder.1.forwarding.client.urlcheck.1.table.1.issuermatch=*
responder.1.forwarding.client.urlcheck.1.table.1.url=http://ocsp.acme.com
responder.1.forwarding.client.response.allowunknown=true
responder.1.forwarding.client.response.signature.check=false

Each responder needs a signer to operate, but not necessarily a valid one. If the responder is only to forward, any signer can be entered as long as its CA is present in the trust store.

Example 3

In this example, a forwarding responder is configured, that will forward requests using client authentication during SSL handshake.

  • In the OCSP configuration file, specify as follows:

    CODE 
    responder.1.type=basic
responder.1.url=http://*:8080/forwardclientssl
responder.1.workers=5
responder.1.signature.chain=cert
responder.1.signer.1.issuerdn=cn=Dummy OCSP CA,c=SE
responder.1.signer.1.certificate=cn=Dummy OCSP Signer,c=SE
responder.1.signer.1.pin=1234
responder.1.forwarding.enabled = true
responder.1.forwarding.onlyforissuer.1 = *
responder.1.forwarding.client.urlcheck.1 = table
responder.1.forwarding.client.urlcheck.1.table.1.url = https://otherresponder:8444
responder.1.forwarding.client.urlcheck.1.table.1.issuermatch = *
responder.1.forwarding.client.authentication.key.certificate=c=SE,cn=SSL Client
responder.1.forwarding.client.authentication.key.pin=1234

Related information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close