LibreSSL Logo The Online Certificate Status Protocol is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. An OCSP Responder is a web service that indicates to a client the status of the certificate. The response sent by the OCSP responder is digitally signed with its OSCP certificate. OpenSSL/LibreSSL can act as an OSCP Responder, however in this post I will set up an OCSP Responder based on LibreSSL that is served via a cgi-script on the Apache webserver.

I will cover creating the necessary keys and certificate for the responder, starting a test responder based on OpenSSL and verifying a server certificate from OpenSSL & Firefox. I will then move onto the setup of creating a more permanent solution with Apache webserver.

OCSP Configuration

Create the OCSP Directory Structure

# mkdir /etc/ssl/ocsp.pbdigital.org
# cd /etc/ssl/ocsp.pbdigital.org/
# mkdir private
# chmod 700 private

Create a Certificate for OCSP Signing

On the OCSP Server, create a Key and Certificate Signing Request.

# openssl req -new -newkey rsa:2048 -subj "/C=ES/O=pbdigital.org/CN=OCSP Root Responder" -keyout private/root-ocsp.key -out root-ocsp.csr 
# scp root-ocsp.csr root@ca.pbdigital.org:/etc/ssl/ca.pbdigital.org/csr/

Back on the CA server, create the certificate after you have copied the CSR over.

# openssl ca -config root-ca.cnf -in csr/root-ocsp.csr -out certs/root-ocsp.crt -extensions ocsp_ext -days 90 

Again on the OCSP server, grab the certificates needed for the OCSP Responder.

# scp ca.pbdigital.org:/etc/ssl/ca.pbdigital.org/certs/root-ocsp.crt .
# scp ca.pbdigital.org:/etc/ssl/ca.pbdigital.org/root-ca.crt .

Copy the “db directory” & Start the OCSP Responder

We need to transfer the contents of the db directory from the CA Server. This directory contains all the information about our certificates. Transfer db files from the CA to the OCSP.

ca# scp -r /etc/ssl/ca.pbdigital.org/db ocsp.pbdigital.org:/etc/ssl/ocsp.pbdigital.org/

We will have to regularly transfer the contents of the db directory, each time we issue or revoke a certificate, as it holds the information about our certificates.

Start the OCSP Responder

# openssl ocsp -port 9080 -index /etc/ssl/ocsp.pbdigital.org/db/index -rsigner /etc/ssl/ocsp.pbdigital.org/root-ocsp.crt -rkey /etc/ssl/ocsp.pbdigital.org/private/root-ocsp.key -CA /etc/ssl/ocsp.pbdigital.org/root-ca.crt -text

That is our OCSP Responder setup. It works for testing but is too fragile for a real responder. Any invalid request will cause the process to crash.

Test the Operation of the OCSP Responder

This example checks the server certificate we created in the previous post.

user$ openssl ocsp -issuer root-ca.crt -CAfile root-ca.crt -cert server.crt  -url http://ocsp.pbdigital.org:9080
Response verify OK
root-ocsp.crt: good
    	This Update: Oct 28 15:50:15 2019 GMT

As you can see, the OSCP responder verifies that the certificate is good, i.e. valid.

Testing a Revoked Certificate with Firefox

When we try to access a website with a revoked certificate, we will be presented with the following page, However, we need to configure Firefox to perform a Hard Fail on OCSP checks, which I will discuss next.

Cert Revoked

The above image assumes that you have set security.OCSP.require in Firefox’s about:config settings. You should make changes as below, so you can verify the revocation, otherwise Firefox will perform a Soft Fail and will allow the revoked certificate.

about:config Settings

Note: Firefox does not perform OCSP validation for SSL Client Certificates. You will need to program this into any web application, if you need this extra security. If you use the Django Frame work, the pyca/cryptography library should provide this.

Create an OCSP Responder to be run on Apache Server

Once we are happy testing with our OpenSSL OCSP Responder, it is time to implement a more robust implementation using the Apache Web Server.

The following CGI Script can serve this purpose.

/var/www/cgi-bin/ocsp.cgi

#!/bin/sh

HYPERLINK="http://pbdigital.org/blog/openbsd/libressl/2019/08/01/CA-OCSP-openbsd.html"
BASEDIR="/etc/ssl/ocsp.pbdigital.org"
INDEX="$BASEDIR/db/index"
CA="$BASEDIR/root-ca.crt"
RSIGNER="$BASEDIR/root-ocsp.crt"
RKEY="$BASEDIR/private/root-ocsp.key"

intro ()
{
  OPENSSLVERSION=`openssl version`
  echo -e "Content-type: text/html\n\n"
  echo -e "OCSP Interface ($OPENSSLVERSION)\n\n"
}

invalidInput ()
{
  intro
  echo -e "Invalid OCSP request.\n"
  echo "See $HYPERLINK for details."
}

case $REQUEST_METHOD in
  "GET")
    intro
    echo "</br>See <a href=\"$HYPERLINK\">$HYPERLINK</a> for details."
    ;;

  "POST")
    if [ "$CONTENT_TYPE" == "application/ocsp-request" ]; then
      echo "Content-type: application/ocsp-response"
      echo ""
      cat | openssl ocsp -index $INDEX -CA $CA -rkey $RKEY -rsigner $RSIGNER -nmin 5 -reqin /dev/stdin -respout /dev/stdout | cat
    else
      invalidInput
    fi
    ;;
esac

This will need to be made executable and placed in the Apache cgi-bin directory.

You will also need to make sure permissions are correct on the root-ocsp.key for the cgi-script to work,

Before testing this, we need to go back and start from scratch by editing the root-ca.cnf file and making sure the ocsp_url directive points to the cgi-script.

ocsp_url                = http://ocsp.$domain_suffix/cgi-bin/ocsp.cgi

You will need to create the root and server certs once again and also the OCSP db directories. Basically you will need to follow this and the previous post, all over again, to make sure everything is set to go again. Nothing like repetition to learn a subject =).

Wrapping Up

Certificate Authorities are quite a complex subject and deserve more research. You will definitley want to read more about the current state of OCSP and also SSL Stapling to fully understand the functioning of Certificate Verification. I highly recommend starting with Ivan Ristić’s OpenSSL Cookbook.