OCSP proxying

This article describes proxying used in Nexus OCSP Responder. Proxying is configured through responders. For more information, see OCSP responder section.

Example 1

In this example, two urlcheck parameters are configured in succession.

• If the OCSP request contains a serviceLocator extension, that is, if the queried certificate contains an authorityInformationAccess extension, specifying an OCSP URL, this URL will be used in first hand. 

• If no such URL exists, or if the response is not considered valid, Nexus OCSP Responder will check if the certificate is issued by the Acme TrustCenter CA using a hardcoded URL for revocation information.

In the OCSP configuration file, specify as follows:

ocsp.client.urlcheck.1=servicelocator
ocsp.client.urlcheck.2=table
ocsp.client.urlcheck.2.table.1.issuermatch=*o=Acme*
ocsp.client.urlcheck.2.table.1.url=http://ocsp.acme.com/ca01

Example 2

In this example, a forwarding responder is configured, that will forward requests to another responder and return responses as lenient as possible by allowing all issuers and disabling verification of the response.

• In the OCSP configuration file, specify as follows:

  CODE

  responder.1.type=basic
  responder.1.url=http://*:80
  responder.1.workers=5
  responder.1.signer.1.issuerdn=cn=Dummy CA,c=SE
  responder.1.signer.1.certificate=cn=Dummy OCSP Signer,c=SE
  responder.1.signer.1.pin=secretPIN1234
  responder.1.forwarding.enabled=true
  responder.1.forwarding.onlyforissuer.1=*
  responder.1.forwarding.client.urlcheck.1=table
  responder.1.forwarding.client.urlcheck.1.table.1.issuermatch=*
  responder.1.forwarding.client.urlcheck.1.table.1.url=http://ocsp.acme.com
  responder.1.forwarding.client.response.allowunknown=true
  responder.1.forwarding.client.response.signature.check=false

Each responder needs a signer to operate, but not necessarily a valid one. If the responder is only to forward, any signer can be entered as long as its CA is present in the trust store.

Example 3

In this example, a forwarding responder is configured, that will forward requests using client authentication during SSL handshake.

• In the OCSP configuration file, specify as follows:

  CODE

  responder.1.type=basic
  responder.1.url=http://*:8080/forwardclientssl
  responder.1.workers=5
  responder.1.signature.chain=cert
  responder.1.signer.1.issuerdn=cn=Dummy OCSP CA,c=SE
  responder.1.signer.1.certificate=cn=Dummy OCSP Signer,c=SE
  responder.1.signer.1.pin=1234
  responder.1.forwarding.enabled = true
  responder.1.forwarding.onlyforissuer.1 = *
  responder.1.forwarding.client.urlcheck.1 = table
  responder.1.forwarding.client.urlcheck.1.table.1.url = https://otherresponder:8444
  responder.1.forwarding.client.urlcheck.1.table.1.issuermatch = *
  responder.1.forwarding.client.authentication.key.certificate=c=SE,cn=SSL Client
  responder.1.forwarding.client.authentication.key.pin=1234

Related information

• Configure Nexus OCSP Responder

• Nexus OCSP Responder

• OCSP responder section