OCSP & HTTP CRLs

The RIS offers an OCSP responder functionality. It uses MTG-CARA to process OCSP requests. Prerequisite for the RIS to process OCSP requests for certificates, issued by a specific CA certificate, is the existence of an OCSP configuration for the corresponding CA certificate. OCSP configuration can be created in the CARA Admin frontend. Details can be found in the [MTG-CARA-Modulhandbuch_OCSP-Responder].

The OCSP responder URL of the RIS is as follows:

http://<BASE_URL>/ocsp

The placeholder <BASE_URL> has to be replaced by the name of the server, on which RIS was installed and started.

The OCSP responder functionality of the CARA Revovation-Info-Server can be tested for example using OpenSSL:

openssl ocsp -issuer <issuer-cert-file> -serial <serialNumber> -text -url http://<BASE_URL>/ocsp

The placeholder <issuer-cert-file> must be replaced with the path to the file containing the Issuer CA certificate, while the placeholder <serialNumber> must be replaced by the serial number of the must be replaced by the serial number of the certificate for which the OCSP request is made, must be replaced. The prerequisite is that the issuer has already issued a certificate.

The RIS can be used to distribute revocation lists. It retrieves the revocation lists from MTG-CARA and makes them available for HTTP download.

The revocation list for a CA certificate can only be retrieved if a revocation list configuration exists for the CA certificate. The name of the revocation list configuration must be known. It is part of the CRL-DP URL and should not contain any special characters if possible. If the URL contains special characters, it must be ensured that these must be HTML-encoded accordingly. Both complete blacklists and delta blacklists can be obtained from the CRL Distribution Point.

The CRL-DP URL is composed as follows:

http://<BASE_URL>/<Path>/[complete/delta]/<CRL config name>[.crl]

The placeholder <BASE_URL> has to be replaced by the name of the server on which RIS was installed and started.

The placeholder <CRL-Config-Name> must be replaced by the name of the respective CRL configuration. The file extension .crl is optional. It can be inserted or omitted from the URL as desired. The name of the revocation list configuration itself must not contain the file extension.

For the placeholder <path> there are the following possibilities, which are equivalent to each other. A block list is always available among all paths, individual paths cannot be disabled:

The specification of the CRL type complete or delta is optional. If the latest complete revocation list for a CA certificate is to be downloaded, the CRL type complete can be omitted. However, if the most recent delta revocation list for a CA certificate is to be downloaded, the CRL type delta must be specified. The HTTP download of the revocation list can be tested in the browser.