OCSP responder section
This article includes updates for Nexus OCSP Responder 6.3.0.
This article describes how to specify the OCSP responders that shall handle the incoming OCSP requests (these OCSP responders are referred to as 'the logical OCSP responders', for more information, see Nexus OCSP Responder architecture overview). The specification is done in the "OCSP responder" section of the Nexus OCSP Responder configuration file. There are predefined OCSP responders with different semantics. Use the type
parameter to specify which one to use. The workflows for different types of OCSP responders are described in Workflow for Nexus OCSP Responders.
A responder may also forward the request to a remote OCSP responder.
Each responder can support multiple CAs.
Configure a signer for each CA that the responder should support.
In the responders, configure each CA that shall be supported.
The responder replies with status 'Unknown' to OCSP requests for certificates issued by CAs that the responder is not responsible for. When receiving requests related to CAs that are not supported, the first configured signer is used to sign the response. This means that a default "dummy" signing certificate can be configured as the first supported issuer/signer for responding to irrelevant or malicious requests.
Specify the OCSP responders
It is mandatory to specify at least one responder and set the following parameters:
...type
...url
...workers
...signer.x.issuerdn
...signer.x.dn
...signer.x.pin
Authentication, authorization and billing are disabled by default.
For each OCSP responder, specify as follows in the OCSP configuration file:
responder.<r#>.type=[basic|cached|identrus-basic|identrus-cached|non-issued-basic|non-issued-cached|fallback]
responder.<r#>.url=[http|https]://<host>[:<port>][/<path>]
; ssl node
responder.<r#>.ssl.clientauth=[true|false]
responder.<r#>.ssl.certificate=<certificate pattern>
responder.<r#>.ssl.pin=<PIN>
responder.<r#>.ssl.cipher=<cipher suites>
responder.<r#>.ssl.protocol=<protocols>
responder.<r#>.workers=<# of workers>
responder.<r#>.connections=<# of connections>
responder.<r#>.socketreadtimeout=<socket read timeout>
responder.<r#>.forwarding.enabled=[true|false]
; signer node
responder.<r#>.signer.<s#>.issuerdn=<distinguished name>
responder.<r#>.signer.<s#>.certificate=<certificate pattern>
responder.<r#>.signer.<s#>.signingalgorithm=<algorithmname>
responder.<r#>.signer.<s#>.pin=<PIN>
responder.<r#>.signer.<s#>.setnextupdate=[true|false]
; fallback node
responder.<r#>.fallback.certificate=<certificate pattern>
responder.<r#>.fallback.pin=<PIN>
responder.<r#>.fallback.truststore=<folder path>
responder.<r#>.fallback.url=<url>
responder.<r#>.fallback.checkonhold=[true|false]
responder.<r#>.archivecutoff=[true|false]
See this table for description of constants and values:
Configuration | Description | Type description | Example |
---|---|---|---|
| Defines the type of responder, the following responder types are available :
| The responder Type, :
|
|
| Listening address of the responder |
|
|
| SSL configuration for the responder (https only).
|
|
|
| The number of requests that can be handled simultaneously. The optimal value depends on the number of processors, processing power and memory. Default: |
| |
| Configuration for the responder’s signer. Multiple signers can be defined per responder by simply incrementing the signer index: For more information and examples see: key-management-section.
|
| |
| Expiry Check is a service that sends reminder logs when a responder' signer certificate is about to expire. For more information on how to configure this service check out the OCSP expiry Check page. |
| |
| The number of requests that can be handled simultaneously. The optimal value depends on the number of processors, processing power and memory. Default: 2000 |
| |
|
Default: |
|
|
| This parameter defines if forwarding should be enabled. Read more in "Specify forwarding of requests" below. Default: |
| |
| Defines if the This extension will utilize the value from the Default: |
| |
| This configuration node is specific to the For more information about this responder's configuration see: fallback responder page. |
|
Specify limitations on incoming requests
To read more regarding access control, see Access control and billing.
Specify limitations on the incoming requests to the OCSP responder as follows:
CODEresponder.<r#>.incoming.signature.required=[true|false] responder.<r#>.incoming.authorization=[none|bynamematch|byauthentication]
If you enter
bynamematch
you also have to specify a table of rules to find a match of the distinguished name as follows:CODEresponder.<r#>.incoming.authorization.match.<n#>=<distinguished name>
See also Distinguished name matching and Access control and billing.
In addition, you can also use a certificate pattern to filter allowed client requests, specify as follows:
CODEresponder.<r#>.incoming.filter.<n#>=<certificate pattern>
See this table for description of constants and values:
Constants and Values | Description |
---|---|
| Replace |
| Enter Default: |
| This configures authorization of the client certificate. If the request is signed, that certificate will be verified during authorization. Otherwise the client certificate used in the TLS handshake will be verified.
Default: |
| Replace |
| Replace |
| A certificate pattern as described in Introduction to LDAP. Filters authenticated certificates on certificate attributes (part of the authorization scheme). Default is not to filter, which allows any authenticated certificate to bypass the filter mechanism. |
Specify responder and responses
In the OCSP configuration file, specify as follows:
CODEresponder.<r#>.signature.enforceocspsign=[true|false] responder.<r#>.signature.othercerts=[none|byname|bykey] responder.<r#>.signature.chain=[none|cert|chain|allchains] responder.<r#>.signature.chain.includeroot=[true|false] responder.<r#>.responderid=[byname|bykey|byski] responder.acceptPlusSignInRequests=[true|false] responder.endSpaceInHttpStatusLine=[true|false]
See this table for description of constants and values:
Constants and Values | Description |
---|---|
| Replace |
| Enter Default: If this parameter is set to |
|
Default: none The parameter |
|
Default: |
| Enter Default: This parameter is relevant only when |
|
Default: |
| Set this parameter to Default: |
| Use this parameter to align HTTP responses with RFC9112 by adding a space after the status code, even if there isn't a reason-phrase. If set to Default: |
Specify billing information
Billing is described in Access control and billing.
In the OCSP configuration file, specify as follows:
CODEresponder.<r#>.billing.enabled=[true|false] responder.<r#>.billing.perrequest=[true|false] responder.<r#>.billing.percert=[true|false] responder.<r#>.billing.countunknown=[true|false] responder.<r#>.billing.includestatus=[true|false]
See this table for description of constants and values:
Constants and Values | Description |
---|---|
| Replace |
| Enter Default: |
| Enter Default: |
| Enter Default: |
| Enter Default: |
| Enter Default: |
Specify forwarding of requests
Forwarding of requests is carried out by the back end OCSP client, which by default will use the settings you made in Back end client section, section"Specify OCSP client request". To override any of these settings, add a new specification here.
Use the same syntax as described for the back end client but replace
ocsp.client
withresponder.<r#>.forwarding.client
, where<r#>
is the responder sequence number.
Example:
In this example, forwarding is enabled for queries related to certificates issued by the My CA authority.
responder.2.type=basic
responder.2.forwarding.enabled=true
responder.2.forwarding.client.response.allowunknown = true
responder.2.forwarding.onlyforissuer.1=cn=My CA,o=ACME Inc,c=SE
responder.2.forwarding.responseWhenInvalidResponseFromBackEndClient=internalerror
These three settings are also available:
This setting allows the back end client to modify the request before it is sent to another responder. OCSP forwarding really means "send the message, as it is, to another responder".
Default:false
CODEresponder.<r#>.forwarding.modify-request=[true|false]
This setting defines a match table for what issuers that OCSP forwarding should be enabled for. <
issuermatch
> is matched against the issuer DN. Wildcards are allowed.CODEresponder.<r#>.forwarding.onlyforissuer.<n#>=<issuermatch>
If the back end client receives a valid response, this response is sent to the requesting client and the validation is finished. The parameter
responseWhenInvalidResponseFromBackEndClient
controls what Nexus OCSP Responder will do if the back end client failed to retrieve a valid response.Enter
unknown
to have Nexus OCSP Responder not respond, but rather continue with other modules, such as CRL/CIL checks. This will most likely result in an "unknown" response to the client. Note that this will cause Nexus OCSP Responder to sign the response using the default signer for that responder.Enter
trylater
to have Nexus OCSP Responder pass back "Try later" in the OCSP response.Enter
internalerror
to have Nexus OCSP Responder pass back "Internal error" in the OCSP response.Default:
trylater
CODEresponder.<r#>.forwarding.responseWhenInvalidResponseFromBackEndClient=[unknown|trylater|internalerror]
Specify freshness proof
For a description of the freshness proof functionality, see Freshness proof.
In the OCSP configuration file, specify as follows for
type=identrus-cached
:CODEresponder.<r#>.freshnessproof.add=[true|false]
See this table for description of constants and values:
Constants and Values | Description |
---|---|
| Replace |
| Enter Default: |
Specify system control
You can configure Nexus OCSP Responder to automatically shut down if an internal error occurs (when the sent OCSP response has internal error status).
In the OCSP configuration file, specify as follows:
CODEresponder.numberOfConsecutiveInternalErrorsBeforeShutdown=<n#>
Replace
<n#>
with the number of consecutive internal error responses to return before shutting the system down. A value below 1 disables the functionality.Default value:
-1
.
Specify ping data
In the OCSP configuration file, specify ping data as follows:
CODEresponder.pingdata=<data>
Replace
<data>
with a string. When an incoming HTTP POST message contains this data in its body, Nexus OCSP Responder will respond with a simple HTTP 200 OK message and no logs will be produced. This can typically be used by a load balancer to frequently check that the server is up without producing excessive log files in Nexus OCSP Responder.
Examples
View examples
Nexus OCSP responder configuration
In the following examples, different responders are configured. Note that these examples are not complete configurations of the Nexus OCSP Responder.
; OCSP Responder configuration
; This responder supports Basic OCSP CA
responder.1.type=basic
responder.1.url=http://*:8080/1
responder.1.workers=5
responder.1.connections=2000
responder.1.signature.chain=cert
responder.1.signer.1.issuerdn=c=SE,cn=Basic OCSP CA
responder.1.signer.1.certificate=c=SE,cn=Basic OCSP Signer
responder.1.signer.1.pin=1234
responder.1.billing.enabled=true
responder.1.billing.percert=true
responder.1.billing.perrequest=true
responder.1.billing.countunknown=true
responder.1.billing.includestatus=true
; This responder supports Test CA A, B and C
; Signing algorithm set to SHA256withRSA
responder.2.type=basic
responder.2.url=http://*:8080/2
responder.2.workers=5
responder.2.connections=2000
responder.2.signature.chain=cert
responder.2.signer.1.issuerdn=c=SE,o=Nexus,cn=Test CA A
responder.2.signer.1.certificate=c=SE,O=Nexus,cn=Test CA A Signer
responder.2.signer.1.signingalgorithm=SHA256withRSA
responder.2.signer.1.pin=1234
responder.2.signer.2.issuerdn=c=SE,o=Nexus,cn=Test CA B
responder.2.signer.2.certificate=c=SE,O=Nexus,cn=Test CA B Signer
responder.2.signer.2.signingalgorithm=SHA256withRSA
responder.2.signer.2.pin=1234
responder.2.signer.3.issuerdn=c=SE,o=Nexus,cn=Test CA C
responder.2.signer.3.certificate=c=SE,O=Nexus,cn=Test CA C Signer
responder.2.signer.3.signingalgorithm=SHA256withECDSA
responder.2.signer.3.pin=1234
responder.2.signer.4.issuerdn=c=SE,o=Nexus,cn=Test CA D
responder.2.signer.4.certificate=c=SE,O=Nexus,cn=Test CA D Signer
responder.2.signer.4.signingalgorithm=Ed25519
responder.2.signer.4.pin=1234
; Specify the PKCS#12 key stores for the different signing certificates.
key.store.store.1=basic-ca-signer.p12
key.store.store.1.pin=secretPIN1234
key.store.store.2=generic-integration-test-ca-a-signer.p12
key.store.store.2.pin=secretPIN1234
key.store.store.3=generic-integration-test-ca-b-signer.p12
key.store.store.3.pin=secretPIN1234
key.store.store.4=generic-integration-test-ca-c-signer.p12
key.store.store.4.pin=secretPIN1234
key.store.store.5=generic-integration-test-ca-d-signer.p12
key.store.store.5.pin=secretPIN1234
Nexus OCSP responder proxy configuration
Use this sample configuration to set up Nexus OCSP Responder to forward all incoming OCSP requests to another (OCSP) responder:
Example 1
; This responder supports all CAs and forwards to another responder
responder.1.type=basic
responder.1.url=http://*:8080/1
responder.1.workers=5
responder.1.connections=2000
responder.1.signature.chain=cert
responder.1.signer.1.issuerdn=c=SE,cn=Basic OCSP CA
responder.1.signer.1.certificate=c=SE,cn=Basic OCSP Signer
responder.1.signer.1.pin=1234
responder.1.forwarding.enabled = true
responder.1.forwarding.onlyforissuer.1=*
; Configure the ocsp client for this responder
responder.1.forwarding.client.request.usecache=false
responder.1.forwarding.client.request.http.method=post
responder.1.forwarding.client.request.signature.chain=none
responder.1.forwarding.client.response.allowunknown=true
responder.1.forwarding.client.response.signature.check=false
responder.1.forwarding.client.response.chain.validate=false
responder.1.forwarding.client.urlcheck.1 = table
responder.1.forwarding.client.urlcheck.1.table.1.url = http://otherhost:8080/
responder.1.forwarding.client.urlcheck.1.table.1.issuermatch = *
; Specify the PKCS#12 key store for the signing certificate.
key.store.store.1=basic-ca-signer.p12
key.store.store.1.pin=secretPIN1234
Use this sample configuration to set up Nexus OCSP Responder to forward all incoming OCSP requests to another (OCSP) responder using client authentication:
Example 2
; This rsponder supports all CAs and forwards to another responder
responder.1.type=basic
responder.1.url=http://*:8080/1
responder.1.workers=5
responder.1.signature.chain=cert
responder.1.signer.1.issuerdn=c=SE,cn=Basic OCSP CA
responder.1.signer.1.certificate=c=SE,cn=Basic OCSP Signer
responder.1.signer.1.pin=1234
responder.1.forwarding.enabled = true
responder.1.forwarding.onlyforissuer.1 = *
; Configure the ocsp client for this responder
responder.1.forwarding.client.urlcheck.1 = table
responder.1.forwarding.client.urlcheck.1.table.1.url = https://otherhost:8444
responder.1.forwarding.client.urlcheck.1.table.1.issuermatch = *
responder.1.forwarding.client.authentication.key.certificate=c=SE,cn=TLS Client
responder.1.forwarding.client.authentication.key.pin=1234
; Specify the PKCS#12 key store for the signing and TLS certificate.
key.store.store.1=basic-ca-signer.p12
key.store.store.1.pin=secretPIN1234
key.store.store.2=tls-client.p12
key.store.store.2.pin=1234