Nexus OCSP Responder
Nexus OCSP Responder
Breadcrumbs

OCSP proxying

This article describes proxying used in Nexus OCSP Responder . Proxying is configured through responders. For more information, see OCSP responder section .

Example 1

In this example, two urlcheck parameters are configured in succession.

  • If the OCSP request contains a serviceLocator extension, that is, if the queried certificate contains an authorityInformationAccess extension, specifying an OCSP URL, this URL will be used in first hand. 

  • If no such URL exists, or if the response is not considered valid, Nexus OCSP Responder will check if the certificate is issued by the Acme TrustCenter CA using a hardcoded URL for revocation information.

In the OCSP configuration file, specify as follows:

ocsp.client.urlcheck.1=servicelocator
ocsp.client.urlcheck.2=table
ocsp.client.urlcheck.2.table.1.issuermatch=*o=Acme*
ocsp.client.urlcheck.2.table.1.url=http://ocsp.acme.com/ca01

Example 2

In this example, a forwarding responder is configured, that will forward requests to another responder and return responses as lenient as possible by allowing all issuers and disabling verification of the response.

  • In the OCSP configuration file, specify as follows:

    responder.1.type=basic
responder.1.url=http://*:80
responder.1.workers=5
responder.1.signer.1.issuerdn=cn=Dummy CA,c=SE
responder.1.signer.1.certificate=cn=Dummy OCSP Signer,c=SE
responder.1.signer.1.pin=secretPIN1234
responder.1.forwarding.enabled=true
responder.1.forwarding.onlyforissuer.1=*
responder.1.forwarding.client.urlcheck.1=table
responder.1.forwarding.client.urlcheck.1.table.1.issuermatch=*
responder.1.forwarding.client.urlcheck.1.table.1.url=http://ocsp.acme.com
responder.1.forwarding.client.response.allowunknown=true
responder.1.forwarding.client.response.signature.check=false

Each responder needs a signer to operate, but not necessarily a valid one. If the responder is only to forward, any signer can be entered as long as its CA is present in the trust store.

Example 3

In this example, a forwarding responder is configured, that will forward requests using client authentication during SSL handshake.

  • In the OCSP configuration file, specify as follows:

    responder.1.type=basic
responder.1.url=http://*:8080/forwardclientssl
responder.1.workers=5
responder.1.signature.chain=cert
responder.1.signer.1.issuerdn=cn=Dummy OCSP CA,c=SE
responder.1.signer.1.certificate=cn=Dummy OCSP Signer,c=SE
responder.1.signer.1.pin=1234
responder.1.forwarding.enabled = true
responder.1.forwarding.onlyforissuer.1 = *
responder.1.forwarding.client.urlcheck.1 = table
responder.1.forwarding.client.urlcheck.1.table.1.url = https://otherresponder:8444
responder.1.forwarding.client.urlcheck.1.table.1.issuermatch = *
responder.1.forwarding.client.authentication.key.certificate=c=SE,cn=SSL Client
responder.1.forwarding.client.authentication.key.pin=1234