This article describes a scenario for deployment of Nexus OCSP Responder, when used within an intranet or "test lab" environment. Other requirements may apply, for example, the use of Hardware Security Module (HSM), when you set up Nexus OCSP Responder in a production environment.
- Nexus OCSP Responder is used in an environment that can be considered secure and easily manageable, for instance within an intranet or "test lab" environment.
- OCSP can be carried over HTTP (no TLS).
- The OCSP clients do not need to authenticate themselves to the server, neither through client authentication in TLS, nor by signing the requests.
- No auditing or billing is necessary.
- Access and file permissions given by the operating system are considered enough for sensitive data.
- Security hardware is not necessary to protect the Nexus OCSP Responder's keys; a pin-protected file is enough.
The Nexus OCSP Responder will be used as the local source of revocation information from two external CAs, that are used in the organization's PKI. The CAs periodically publish revocation lists and Nexus OCSP Responder must be configured to download these lists.
The two CAs are:
Publishes a certificate revocation list (CRL) every 6 hours at ldap://directory.acme.com, under the CA object entry
cn=CA01,o=Acme TrustCenter,c=SE, under the LDAP attribute
certificaterevocationlist. Also publishes a delta CRL once every hour to the same location, under the LDAP attribute
Publishes a CRL every 3 hours at .
- Prepare the Nexus OCSP Responder keys and certificate.
- In this case, only an OCSP response signing key pair is needed. The corresponding certificate must be issued by a CA, that is trusted by the connecting clients.
The private key and the OCSP signing certificate can be stored in a Hardware Security Module (HSM) or a .p12 file. In this example a .p12 file is used. The certificate must contain the extendedKeyUsage extension (OID 188.8.131.52), including the OCSP-Signing purpose (OID 184.108.40.206.220.127.116.11.9).
Connecting clients will receive a signed OCSP response. The signature will in turn be validated. It is very easy to trigger a dead-lock situation, having clients asking the Nexus OCSP Responder about the status of the responder's own signature certificate. To avoid this situation, it is recommended that the OCSP signature certificate also contains the OCSP NoCheck extension (OID 18.104.22.168.22.214.171.124.1.5). Also, consider the possible security ramifications of adding this extension (revoking this certificate will have no effect).
In this example, the OCSP responder certificate is issued by the local organization's own CA, and contains the following extensions:
Collect information about trusted certificates.
Make sure you have the certificates of the external CAs, as well as the CA certificate used to sign the OCSP signing certificate.
Install Nexus OCSP Responder on a (dedicated) machine. See Install and upgrade Nexus OCSP Responder.
Install the OCSP signing certificate.
Copy the file containing the OCSP responder private key and certificate locally to the machine where Nexus OCSP Responder is installed.
Point out the location of the file in ocsp.conf.
- Set up the trust store.
Use the certadm tool to add all certificates used for terminating trusted certificate chains.
In this example, those certificates would be:
the Acme TrustCenter CA certificate
the Bank X CA certificate
the local root CA certificate
% cd <ocsp install directory>/bin
% certadm new --store=../certs/trust.store
% certadm add --store=../certs/trust.store --file=acmeca.crt
% certadm add --store=../certs/trust.store --file=bankxca.crt
% certadm add --store=../certs/trust.store --file=rootca.crt
% certadm list --store=../certs/trust.store
(1) cn=CA01,o=Acme TrustCenter,c=SE
(2) cn=Customer CA,o=Bank X,c=US
(3) cn=Local CA,o=OurCompany,c=SE
- Open the configuration file ocsp.conf for editing.
This file is by default located in the config directory under the installation directory in Linux environments, and under C:\ProgramData\Nexus\ocsp\config in Windows environments.
- Specify a validator that works against CRLs. See Validation section.
- Add CRL providers that will periodically pull CRLs to the local CRL cache.
Specify the provider for the Acme TrustCenter CRL. Use the output of the certadm program when entering the LDAP URL, to ensure to get the object entry correct (cut & paste).CODE
ocsp.validation.1.type=crl ocsp.validation.1.provider.1.type=pull ocsp.validation.1.provider.1.url.1=ldap://directory.acme.com/ cn=CA01,o=Acme TrustCenter,c=SE?certificaterevocationlist
Add another provider for the the Acme TrustCenter delta CRL.CODE
ocsp.validation.1.provider.2.type=pull ocsp.validation.1.provider.2.url.1=ldap://directory.acme.com/ cn=CA01,o=Acme TrustCenter,c=SE?deltarevocationlist
Add a provider for the Bank X CRL.CODE
Use the default settings in this scenario.
- Allow requests to come in from all network interfaces.
- The load on the machine is unknown, but allow a maximum of 10 requests to be processed simultaneously.
- At the same time, it safeguards against flooding the computer CPU usage at times with intense loads.
- Assume that there is no web server or other application that will cause conflicts when using port 80 (the default HTTP port).
Configure the responders:CODE
responder.1.type=basic responder.1.url=http://*:80/ responder.1.workers=10
To configure the responder key, specify a trusted issuer and a responder certificate found in a key store. The certificate is identified by a simple certificate matching pattern; in this case the CN portion of the responder certificate subject DN, as is.CODE
responder.1.signer.1.issuerdn=cn=CA01,o=Acme TrustCenter,c=SE responder.1.signer.1.certificate=cn=Local OCSP Responder responder.1.signer.1.pin=secretPIN1234
Specify where to find this certificate and key. In this example, a PKCS #12 file is used.CODE
- Use the default settings in this scenario. See Log messages and log filters.
- Start the system.
- Examine the logs for any "critical" or "error" messages.
- To double-check that the CRL providers are downloading CRLs, look in the CRL cache directory (default <ocsp installdir>/crls on Linux, or %ALLUSERSPROFILE%\Nexus\ocsp\crls on Windows).
- Configure all OCSP clients to point their OCSP questions to the HTTP URL specified in the "Configure Nexus OCSP Responder, part 2: Responder" section above.
- The system can be left as-is until it is time to renew the responder certificate.