EJBCA - Open Source PKI Certificate Authority
Search ejbca.org for:
PrimeKey Support, Development and Maintenance services

OCSP Installation

Note
This section contains installation instructions for the external OCSP responder. EJBCA by default have an internal OCSP responder that works out of the box on the CA server. See 'OCSP Architecture' to determine if you also need an external OCSP responder.

Installing the external OCSP responder together with EJBCA requires configuration on the CA and installation of the external OCSP responder.

If you are not using the responder with EJBCA you can skip the section about building and configuring EJBCA.

Building and configuring the Responder

*** General configuration ***

You should first read the Standalone VA installation that specifies the general configuration for a VA.

All options for the OCSP responders OCSP behavior is set in conf/ocsp.properties. All options are documented in this file.
The ocsp.keys.* preferences (that has no meaning for EJBCA) has also to be configured.
If card keys (see below) should be used then the property 'ocspHardTokenClasses' must be set to the corresponding directory of PrimeCard.

*** Responder signing keys ***

The keys used to sign the OCSP response could either be stored on as a PKCS#12 file in the file system of the host, on a smart card or on a PKCS#11 token. It should be one key for each CA, and the each CA the responder answers for an OCSP signing certificate must be issued.
The certificate profile could be the same for both soft, smart card and PKCS#11 keys.

To issue OCSP signer certificate from EJBCA you define a new certificate profile and use 'OCSPSIGNER (FIXED)' as template (use selected as template).
This certificate profile is like a normal end entity profile but with the following key usages: 

- Key Usage: Digital Signature
- Extended Key Usage: OCSPSigner

Configure the newly created certificate profile to use the OCSP publisher defined above. You also need to create a new End Entity Profile to use the new Certificate Profile.

You should then create a user for each CA using this certificate profile. Use the token type "p12" or "jks" for soft keys and "user generated" for pkcs#11 and card keys.

Note
Note: The OCSP responders certificate(s) AND the CA certificate(s) need to be published from the CA to the OCSP responder. For the CA you do this by setting the CRL publisher to the OCSP publisher.
*** Soft keystores ***

When a soft key has been created it should be stored in the directory defined by the ocsp.keys.dir property of conf/ejbca.properties. The password for each key must be the same and should be equal to the ocsp.keys.keyPassword property of conf/ejbca.properties.

Soft OCSP keystores are most easily created by adding a user to EJBCA and selecting the PKCS#12 keystores type. After this the OCSP keystore can be created by running the bin/ejbca.sh batch command on the EJBCA server, or by fetching the PKCS#12 keystore from the public enrollment pages of EJBCA.

*** PKCS#11 HSMs ***

A PKCS#11 key and certificate is created like this (example for Thales/nCipher, change accordingly for your HSM): 

ejbcaClientToolBox.sh PKCS11HSMKeyTool generate ./sunpkcs11.cfg 2048 ocsp
ejbcaClientToolBox.sh PKCS11HSMKeyTool certreq /opt/nfast/toolkits/pkcs11/libcknfast.so i1 ocsp

The certificate for the key is then fetched from the public enrollment page of EJBCA with the certificate request that was stored in the file ocsp.pem when the "certreq" command was executed. You then have to manually create a certificate chain file. The OCSP signer certificate should be first in this file and the root CA certificate should be last.

If the chain file is called chain.pem then the certificate chain is installed in the HSM like this: 

ejbcaClientToolBox.sh PKCS11HSMKeyTool installcert /opt/nfast/toolkits/pkcs11/libcknfast.so i1 chain.pem

You must then define all ocsp.p11.* properties on the responder. Please read Generic PKCS#11 provider for information on the configuration file for the generate command. Do also try to find your HSM in Hardware Security Modules (HSM). Please note the only PKCS#11 HSMs are supported.

*** PrimeCardHSM ***

Smart card keys are created on the card with the "create CA Token on card" tool see the HOWTO-CATokenOnCard.txt of PrimeCard. Select the choice for one authentication code for all keys on the card. If you want several OCSP responders with same keys then you may create several card with same keys. But note that no backup card is needed. If a card is lost or broken then simply make another one with new keys and revoke the old signing certificates.

The certificates for the the keys are then fetched from the public enrollment page of EJBCA with the certificate request. There should be one certificate request for each key.

The command: 

changePIN.sh createCertReqs

will create the requests, one for each key. Choose 'pem' format for the certificates and then just store these files in the 'ocsp.keys.dir' directory. The property 'ocsp.keys.cardPassword' should be set to the PIN of the card.

Re-start the application server for the external OCSP responder. When the application server is started it should just work.

Dynamic reconfiguration

By configuring the property 'allow.external-dynamic.configuration' in conf/ejbca.properties you can have the OCSP responder re-read some configuration values from files in the file system. The values ocsp.untilNextUpdate and ocsp.maxAge from ocsp.properties will be re-read if you put an ocsp.properties file in the directory /etc/ejbca/conf or in APPSRV_HOME/bin/conf (if you start your application server from APPSRV_HOME/bin).

Key updating

The responder might be configured (in ocsp.properties) to scan for installed keys at regular intervals. The responder will use the keys detected at the latest scan.

Please note that keys in the PKCS#11 slot will not be updated if automatic re-keying is enabled.

Re-keying

Re-keying allows the OCSP responder to generate new signing keys and obtain a new certificate for these keys from the CA. Re-keying is configured in the ocsp.properties configuration file.

Re-keying can be either automatic or manual. Automatic re-keying allows you to specify the maximum expiration period in seconds before the re-keying should happen (i.e. you can set-up the OCSP responder to renew its keys and certificates when its current certificate is about to expire). Manual re-keying allows you to trigger the renewal by sending a GET request to the OCSP responder (with the necessary parameters). Manual re-keying is useful when a greater control on re-keying periods is desired. Since manual re-keying can be done with external tools (like wget or curl), cron jobs can be set-up to trigger it at the desired time.

Both automatic and manual re-keying require that EJBCA CA web-service URL is defined. The web-service URL should point to the EJBCA CA server which has issued the certificates for the OCSP responder. If the URL is not defined, the re-keying won't be enabled.

OCSP responder acts as a registration authority when renewing keys with the EJBCA CA. OCSP responder can use either a soft keystore, or an HSM for authenticating with CA. If soft keystore is used, it needs to be provided in the Java keystore format (jks), and its location and password should be defined in the ocsp.properties configuration file. If HSM is used for the authentication, the soft keystore options should not be specified, and the re-keying function will instead use the private key from the configured P11 slot (the private key from HSM slot is selected by first locating the corresponding certificate in the slot with the necessary key usage and extended key usage as outlined below).

Since OCSP responder is acting as a registration authority, its certificate for authenticating to the EJBCA CA web-service must have the key usage set to "Digital Signature" and extended key usage set to "Client Authentication". It is also necessary to set-up the appropriate access rules on the CA side (either by creating a new RA role, or using an existing one). The role for the OCSP responder should have the right to view and edit the end entities (at least for all of the CA's issuing the certificates for the OCSP responder, as well as for certificate profiles used by the OCSP responder's certificates).

For manual re-keying the GET request should contain the parameters "renewSigner" and "password". The "renewSigner" parameter can be used to specify which OCSP keys should be renewed. It can be either set to "all", which will renew all of the OCSP signer keys, or to a specific OCSP responder certificate subject DN (unlike the default responder options, the parameter specified here should be the OCSP's subject DN, not the issuer's). Password should be configured in the ocsp.properties file. If the password is not set, manual re-keying will not be enabled.

Manual re-keying can further be limitted by specifying the allowed originating IP addresses for the requests. By default the re-keying is allowed only from the localhost (127.0.0.1) address. Allowed IP addresses are configured in the ocsp.properties configuration file, and multiple addresses can be provided by separating them with a semicolon (;).

The following two examples demonstrate the manual triggering of re-keying on the OCSP responder. The first example triggers the re-keying for all of the OCSP signer keys, while the second one will trigger rekeying for a specific signer (the one matching the subject DN of "CN=OCSP REsponder 123,O=PrimeKey Solutions AB,C=SE"): 

wget http://va.example.com:8080/ejbca/publicweb/status/ocsp?renewSigner=all\&password=foobar123
wget http://va.example.com:8080/ejbca/publicweb/status/ocsp?renewSigner=CN=OCSP\ Responder\ 123,\ O=PrimeKey\ Solutions\ AB,\ C=SE\&password=foobar123

If a specific OCSP subject DN is provided, the OCSP responder will look amongst its keystores/HSM slots for matching certificate and its associated keys. If the specified subject DN is not found, an ERROR message will be output to the server log files specifying the searched subject DN and the available subject DN's. If you're having problems with manual re-keying when providing a specific subject DN, make sure to check the logs and verify that the proper subject DN was specified for the "renewSigner" parameter. Ordering of subject components matters. You can also copy/paste the subject DN from the log to make sure the spelling and ordering is right (i.e. that it matches with what can be found on-disk or in HSM).

For re-keying to work, the OCSP signer certificaes need to be issued to separate end entities on the EJBCA ca (i.e. you can't re-use the same end entity for multiple OCSP signer certificates for different CA's).

When testing the automatic re-keying it is desirable to set the maximum expiration time to be as short as possible. This can be achieved by setting it to a value that's close to the validity time of the OCSP certificate. For example, in case the validity of OCSP certificate is 730 days, the ocsp.rekeying.renewTimeBeforeCertExpiresInSeconds value should be set to (730*24*60-14)*60 = 63071160 seconds. This will force re-keying to happen every 4th minute (EJBCA issues certificates which are valid 10 minutes before they were issued in order to compensate for clock inaccuracies in systems using the certificates).

Be aware that the re-keying operation has not been tested on all of the application servers. Some of the application servers may have problematic client web-service implementations. The following application servers have been tested and confirmed to work as expected for OCSP signer re-keying:

  1. JBoss 5.1.0.GA (jdk6)
  2. JBoss EAP 5.1.2
  3. JBoss 6.1.0.Final

No password in memory

With this feature enabled no password are kept in memory. If it is enabled you must not define any passwords in ocsp.properties.

Defining this feature makes it impossible to do "key updating".

Several responders using same HSM

If several responders should share the same HSM and rekeying should be enabled on all of them then each responder must use different keys. To be able to define this set of keys that should be used there is a property called 'ocsp.rekeying.listOfAliases' in the ocsp.properties file.

Error handling

If there is an error publishing to the OCSP database, the OCSP responder will be out of sync with the CA. It is very important to re-synchronize the databases in that case. Read about error handling and synchronization of the database in the VA installation guide.

Running several responders

Additional OCSP DataSources for OCSP responders have to be added manually. The easiest way to do this on JBoss is to clone the initially deployed OCSP DataSource JBOSS_HOME/server/default/deploy/ocsp-ds.xml to JBOSS_HOME/server/default/deploy/ocsp2-ds.xml and change 

      <jndi-name>OcspDS</jndi-name>
      <connection-url>jdbc:mysql://ocsp1.domain.org:3306/ejbca</connection-url>

to

      <jndi-name>Ocsp2DS</jndi-name>
      <connection-url>jdbc:mysql://ocsp2.domain.org:3306/ejbca</connection-url>

and configure an additional publisher to use this new DataSource 'java:/Ocsp2DS'.

An alternative approach for MySQL users is to use the tools for database replication. Either you could replicate CertificateData from you master EJBCA database to slave-responders or you could publish to a master OCSP responders database that in turn is replicated to the other responders. How to do it is described in the mysql documentation. Depending on which which version you are using please read one of the followings: MySQL 5.0 Replication Howto MySQL 5.1 Replication Howto

Adding additional responders in a live environment

There is no automated way of pushing all the certificates that has been published to existing OCSP responders. To duplicate an existing "source" OCSP database to a "target" OCSP database:

  1. To create the tables in the target OCSP, start JBoss AS with OCSP deployed for the first time (and then stop the server before doing the next step).
  2. Add an additional DataSource for the target OCSP responder in EJBCA.
  3. Configure a new ValidationAuthorityPublisher in EJCBA that uses the target OCSP DataSource. Chose to only publish to queue to accumulate all changes during the cloning.
  4. Wait one hour and check that there is nothing in the publisher-queue of the source OCSP that is older than one hour.
  5. Do a MySQL dump from the source database to the target database or use the ClientToolBox DBCOPY-command.
  6. When the copy operation has finished, configure a new Republisher Service for the target's OCSP Publisher.
  7. Make sure that the queue that built up during the copy operation is now published to the target OCSP.
  8. Run the monitoring tool (ClientToolBox OCSPMon) to verify that the new OCSP is in sync.
  9. Start the new OCSP node and add it to the pool of OCSPs in your load balancer.

Audit and Account Logging

There are three types of logs that can be generated by the OCSP responder.

1. The OCSP service logs using Log4j to the JBoss server.log. The JBoss server log is located in JBOSS_HOME/server/default/log/server.log and the logging is configured in JBOSS_HOME/server/default/conf/jboss-log4j.xml.

2. The OCSP transaction log can be used to log various information about ocsp-requests. Transaction logging logs summary lines for all OCSP request/responses, which can be used for charging clients if you are running a commercial OCSP service.
To turn on transaction logs logs, copy ocsp.properties.sample to ocsp.properties and change: 

#ocsp.trx-log = false

to

ocsp.trx-log = true

then uncomment the other lines below that starts with ocsp.trx-log. Change the ocsp.trx-log-log-date line if you want to change how the time recorded in logging should be output. The value should be on the same format as for javas DateFormat, information on valid configurations can be found here. 

ocsp.trx-log-log-date = yyyy-MM-dd:HH:mm:ss

ocsp.trx-log-pattern is a pattern for use with ocsp.audit-order to replace constants with values during logging For most purposes you will not need to change this string.

Use ocsp.trx-log-order to specify what information should be logged and in what order. You can also configure what characters you want in between. If you want your log to display all of the values available you only have to un-comment it.

Available values for the transaction log are:

LOG_ID, An integer identifying that starts from 1 and is increased for every received request.
SESSION_ID A random 32 Byte long String generated when the OCSP-responder is started.
STATUS, The status of the OCSP-Request. SUCCESSFUL = 0;MALFORMED_REQUEST = 1;INTERNAL_ERROR = 2;TRY_LATER = 3;SIG_REQUIRED = 5;UNAUTHORIZED = 6;
CLIENT_IP, IP of the client making the request.
REQ_NAME, The Common Name (CN) of the client making the request.
SIGN_ISSUER_NAME_DN, DN of the issuer of the certificate used to sign the request.
SIGN_SUBJECT_NAME, Subject Name of the certificate used to sign the request.
SIGN_SERIAL_NO, Certificate serial number of the certificate used to sign the request.
NUM_CERT_ID, The number of certificates to check revocation status for.
ISSUER_NAME_DN, The subject DN of the issuer of a requested certificate.
ISSUER_NAME_HASH, MD5 hash of the issuer DN.
ISSUER_KEY, The public key of the issuer of a requested certificate.
DIGEST_ALGOR, Algorithm used by requested certificate to hash issuer key and issuer name.
SERIAL_NO, Serial number of the a requested certificate.
CERT_STATUS, The requested certificate revocation status.
REPLY_TIME, The time measured between when the request is received by the responder and when the response is sent. This time includes the time it takes to read the request bytes.
PROCESS_TIME, The time measured between when the request has been read by the responder and when the response is sent. This time starts after the request bytes have been read.

3. The OCSP audit log logs entire requests and responses. This can be useful when requests and responses are signed because the information can be used to verify requests and responses afterwards. Audit logging is configured in the same way as transaction logging.
Valid values for audit logging are:

LOG_ID, An integer identifying that starts from 1 and is increased for every received request.
SESSION_ID A random 32 Byte long String generated when the OCSP-responder is started.
OCSPREQUEST, The (hex encoded) byte[] ocsp-request that came with the http-request.
OCSPRESPONSE, The (hex encoded) byte[] ocsp-response that was included in the http-response.

Note that LOG_ID are of the same value in both trx log and audit log for any request. This means they can be cross referenced. You can retrieve information from the transaction log and verify that the information is valid by using the audit Log.

Configuring output files for OCSP logging

For JBoss you can configure JBOSS_HOME/server/default/conf/jboss-log4j.xml to put the transaction and audit logs in separate files. 

   <appender name="OCSPTRANSACTION" class="org.jboss.logging.appender.RollingFileAppender">
     <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
     <param name="File" value="${jboss.server.log.dir}/transactions.log"/>
     <param name="Append" value="false"/>
     <param name="MaxFileSize" value="500KB"/>
     <param name="MaxBackupIndex" value="1"/>
     <layout class="org.apache.log4j.PatternLayout">
       <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
     </layout>	    
   </appender>

   <appender name="OCSPAUDIT" class="org.jboss.logging.appender.RollingFileAppender">
     <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
     <param name="File" value="${jboss.server.log.dir}/audit.log"/>
     <param name="Append" value="false"/>
     <param name="MaxFileSize" value="500KB"/>
     <param name="MaxBackupIndex" value="1"/>
     <layout class="org.apache.log4j.PatternLayout">
       <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
     </layout>	    
   </appender>

   <category name="org.ejbca.core.protocol.ocsp.TransactionLogger">
         <priority value="DEBUG"/>
         <appender-ref ref="OCSPTRANSACTION"/>
   </category>

   <category name="org.ejbca.core.protocol.ocsp.AuditLogger">
         <priority value="DEBUG"/>
         <appender-ref ref="OCSPAUDIT"/>
   </category>

For other application servers you can configure conf/log4j-appserver.xml.

Safer Log4j Logging

The default behavior when logging fails, such as when the destination disk is full or disconnected, is to continue responding as normal. If you prefer the responder not to send OCSP-responses when logging fails you can use the following configuration:

1. From your EJBCA folder, run: 

ant jbosslog4jsafer

2. Copy jbosslog4jsafer.jar from the dist directory to your JBoss Servers lib directory. For example: 

cp dist/jbosslog4jsafer.jar /home/jboss/jboss-4.2.2.GA/server/default/lib/

3. Set 'ocsp.log-safer = true' in ocsp.properties

4. Modify your jboss-log4j.xml file to use the SaferDailyRollingFileAppender and ProbeableErrorHandler. For example: 

	<appender name="OCSPTRANSACTION" class="org.ejbca.appserver.jboss.SaferDailyRollingFileAppender">
		<errorHandler class="org.ejbca.appserver.jboss.ProbeableErrorHandler" />
		<param name="File" value="${jboss.server.log.dir}/transactions.log" />
		<param name="Append" value="true" />
		
        <!-- Rollover at midnight each day -->
		<param name="DatePattern" value="'.'yyyy-MM-dd" />
		<layout class="org.apache.log4j.PatternLayout">
            <!-- The default pattern: Date Priority [Category] Message\n -->
			<param name="ConversionPattern" value="%d %-5p [%c] %m%n" />
		</layout>
	</appender>
	<appender name="OCSPAUDIT" class="org.ejbca.appserver.jboss.SaferDailyRollingFileAppender">
		<errorHandler class="org.ejbca.appserver.jboss.ProbeableErrorHandler" />
		<param name="File" value="${jboss.server.log.dir}/audit.log" />
		<param name="Append" value="true" />

        <!-- Rollover at midnight each day -->
		<param name="DatePattern" value="'.'yyyy-MM-dd" />
		<layout class="org.apache.log4j.PatternLayout">
            <!-- The default pattern: Date Priority [Category] Message\n -->
			<param name="ConversionPattern" value="%d %-5p [%c] %m%n" />
		</layout>
	</appender>
	
	<logger name="org.ejbca.core.protocol.ocsp.TransactionLogger">
		<level value="DEBUG" />
		<appender-ref ref="OCSPTRANSACTION" />
	</logger>
	<logger name="org.ejbca.core.protocol.ocsp.AuditLogger">
		<level value="DEBUG" />
		<appender-ref ref="OCSPAUDIT" />
	</logger>

If you use category instead of logger Log4j will output warnings on startup

5. Start JBoss and you are ready.

Setting up the Unid-Fnr OCSP extension

Note
If you don't know what a Unid-Fnr mapping is, you are probably not interested in this part.

The Unid functionality is described in a separate document.

OCSP GET

The GET OCSP request is defined in RFC 2560 A.1.1 as: 'GET {url}/{url-encoding of base-64 encoding of the DER encoding of the OCSPRequest}'. A base64-encoded request can contain the reserved characters '+', '/' and '=', but will be handled correctly both in their %-escaped and original form by the responder, since it's unclear if they do conflict as defined in RFC 2396 2.2.

Not all web-product handles the encoded '/' (%2F) nicely. JBoss/Tomcat has to be started with -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true added to JAVA_OPT in JBOSS_HOME/bin/run.conf. On Glassfish this JVM option is configured under Application Server Settings.

Responses with longer validity and caching

RFC 2560 defines thisUpdate, nextUpdate and producedAt. producedAt is always included in the response and is the time the response was created. thisUpdate and nextUpdate is enabled by configuring 'ocsp.untilNextUpdate' in ocsp.properties. thisUpdate will be the time a singleResponse is embedded in the main response and nextUpdate will be 'untilNextUpdate' seconds later than thisUpdate. This enables clients that supports this feature to re-use a valid response and decrease to load on the OCSP-responder.

RFC 5019 defines how to use HTTP cache headers as defined in RFC 2616 for OCSP HTTP GET requests. By using the headers Last-Modified, Expires, max-age and Date, less intelligent nextwork component like HTTP caches can cache respones. This enables re-use of responses to decrease the load on the OCSP-responder and can shorten reponse times by deploying caches closer to the actual OCSP consumers. HTTP cache headers is enabled by configuring configuring 'ocsp.maxAge' in ocsp.properties

When using RFC 5019 style HTTP headers, JBoss users should be aware that the Date header is overwritten with a cached value. Since generating the Date-string is computationally heavy for regular small GET requests, it is generated about once per second. So a response will have a Last-Modified that is one second in the future from Date from time to time.

A regular Apache HTTP server can be used for caching requests, load-balancing and dropping some unwanted requests: 

<VirtualHost *:80>
        # Use as much memory as possible for the cache (in 1 kB blocks)
        # 1GB of memory at ~2kB/ocsp request would hold about 500000 different requests
        CacheEnable mem /
        MCacheSize 1048576
        MCacheMaxObjectCount 1000000
        MCacheMinObjectSize 1
        MCacheMaxObjectSize 4096

        # Using disk-cache will allow a much larger pool of cached entires and the operation system
        # will cache those files, but you are responsible for cleaning up old cache-entries using
        # the "htcacheclean" tool. A disk cache will also live through a server restart.
        # The user running apache has to have read/write access to "/var/cache/ocsp".
        #CacheEnable disk /
        #CacheRoot /var/cache/ocsp

        # Ignore requests for uncached responses.. this will protect the OCSP from
        # DOS attacks using "Cache-Control: no-cache" or "Pragma: no-cache"
        CacheIgnoreCacheControl On

        ProxyRequests Off

        <Location>
                # Everybody is welcome here..
                Allow from all
                Order allow,deny

                # ..or just those from networks that is supposed to use the service
                #Deny from all
                #Order deny,allow
                #allow from 127.
                #allow from 172.16.212.1

                ProxyPassReverse balancer://mycluster-kerb/
        </Location>

        # Proxy requests to OCSP instances (only one machine currently configured)
        <Proxy balancer://mycluster-kerb>
                # proxy_ajp has to be enabled for ajp-proxying
                BalancerMember ajp://127.0.0.1:8009/ejbca/publicweb/status/ocsp
                # proxy_http has to be enabled for http-proxying
                #BalancerMember http://ocsp2.domain.org:8080/ejbca/publicweb/status/ocsp
                #BalancerMember http://ocsp3.domain.org:8080/ejbca/publicweb/status/ocsp
        </Proxy>

        # We only want RFC 5019 compliant URLs to be forwarded to the OCSP, the rest
        # should get a "404 Not found" or "414 Request-URI Too Large."
        LimitRequestLine 257
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} get [NC]
        RewriteRule ^/([a-zA-Z0-9+=/]+)$ balancer://mycluster-kerb/$1 [P,L]

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel debug
        CustomLog /var/log/apache2/access.log combined
        ErrorLog /var/log/apache2/error.log
</VirtualHost>

Copyright © 2001-2011 EJBCA team. All rights reserved.