OCSP & HTTP CRLs
1. Endpoints
1.1. OCSP Responder
The RIS offers an OCSP responder functionality. It uses MTG-CARA to process OCSP requests. Prerequisite for the RIS to process OCSP requests for certificates, issued by a specific CA certificate, is the existence of an OCSP configuration for the corresponding CA certificate. OCSP configuration can be created in the CARA Admin frontend. Details can be found in the [MTG-CARA-Modulhandbuch_OCSP-Responder].
The OCSP responder URL of the RIS is as follows:
http://<BASE_URL>/ocsp
The placeholder <BASE_URL>
has to be replaced by the name of the server,
on which RIS was installed and started.
If a context path different from the default cara-revocation-info-server is chosen for an ExecutableJAR installation
the URL must be modified accordingly.
|
The OCSP responder functionality of the CARA Revovation-Info-Server can be tested for example using OpenSSL:
openssl ocsp -issuer <issuer-cert-file> -serial <serialNumber> -text -url http://<BASE_URL>/ocsp
The placeholder <issuer-cert-file>
must be replaced with the path to the file containing the
Issuer CA certificate, while the placeholder <serialNumber>
must be replaced by the serial number of the
must be replaced by the serial number of the certificate for which the OCSP request is made,
must be replaced.
The prerequisite is that the issuer has already issued a certificate.
1.2. CRL Distribution Point
The RIS can be used to distribute revocation lists. It retrieves the revocation lists from MTG-CARA and makes them available for HTTP download.
The revocation list for a CA certificate can only be retrieved if a revocation list configuration exists for the CA certificate. The name of the revocation list configuration must be known. It is part of the CRL-DP URL and should not contain any special characters if possible. If the URL contains special characters, it must be ensured that these must be HTML-encoded accordingly. Both complete blacklists and delta blacklists can be obtained from the CRL Distribution Point.
The CRL-DP URL is composed as follows:
http://<BASE_URL>/<Path>/[complete/delta]/<CRL config name>[.crl]
The placeholder <BASE_URL>
has to be replaced by the name of the server
on which RIS was installed and started.
The placeholder <CRL-Config-Name>
must be replaced by the name of
the respective CRL configuration.
The file extension .crl
is optional.
It can be inserted or omitted from the URL as desired.
The name of the revocation list configuration itself must not contain the file extension.
The name of the blacklist configuration itself must not contain the file extension. |
For the placeholder <path>
there are the following possibilities,
which are equivalent to each other.
A block list is always available among all paths,
individual paths cannot be disabled:
-
named-crl
-
crldp
-
crldps
-
crl
-
crls
-
revocation
-
rev
The specification of the CRL type complete
or delta
is optional.
If the latest complete revocation list for a CA certificate is to be downloaded,
the CRL type complete
can be omitted.
However, if the most recent delta revocation list for a CA certificate is to be downloaded,
the CRL type delta
must be specified.
The HTTP download of the revocation list can be tested in the browser.