OCSP Responder Signer Expiry Check
This article is new for Nexus OCSP Responder 6.3.0.
This article describes how to configure Nexus OCSP Responder Expiry Check.
Introduction
Expiry Check is a service that sends reminder logs when a responder's signer certificate is about to expire. By default every signer will register to this service with a default configuration.
When a signer’s certificate is about to expire, a log event of type "ExpiryCheck" will be triggered. If a configured warning threshold period is crossed before the expiry of the signer’s certificate happens, there will be a warning level message logged. When a severe warning threshold period is crossed, or if the certificate has expired, there will instead be a severe level message logged.
Expiry Check configuration
Configuration can be done on both a per signer level or on a per responder level. The more specific configuration will always be chosen first. If a configuration is missing, the default will apply.
Expiry check has four configuration parameters:
Parameter | Default value | Description |
---|---|---|
|
| Specifies whether or not to disable Expiry Check Service. |
|
| Specifies how frequently the Expiry Check Service will execute. By default, the check will be performed every 24 hours. |
|
| Specifies the time period before the signer’s expiry date when a warning log should be sent. By default, 30 days before the signer’s expiry date. |
|
| Specifies the time period before the signer’s expiry date when a severe log should be sent. By default, 7 days before the signer’s expiry date. |
<time expr> should follow iso-8601 duration format
Example configuration for a signer:responder.1.signer.1.expiryCheck.disable=false
responder.1.signer.1.expiryCheck.period=P24H
responder.1.signer.1.expiryCheck.warningBefore=P30D
responder.1.signer.1.expiryCheck.severeBefore=P5D
Example configuration for a responder, (Every signer for this responder will inherit this configuration):;responder.1.expiryCheck.disable=false
;responder.1.expiryCheck.period=P24H
;responder.1.expiryCheck.warningBefore=P30D
;responder.1.expiryCheck.severeBefore=P5D
Logging configuration example
It it possible to filter ExpiryCheck messages by simply specifying “type=ExpiryCheck” in the logger filter configuration.
Example: Omit Expiry Check messages
agent.log.1.type = file
agent.log.1.prefix = log/ocsp
agent.log.5.filter = !type=ExpiryCheck
Example: Write ExpiryCheck messages only agent.log.4.type = file
agent.log.4.prefix = log/ocsp-expiry-check
agent.log.4.filter = type=ExpiryCheck
Example: Write severe ExpiryCheck messages to syslogagent.log.5.type = syslog
agent.log.5.port = 10514
agent.log.5.host = localhost
agent.log.5.facility = user
agent.log.5.filter = type=ExpiryCheck & severity=severe