Setting up a Responder Using the CLI

In this example, there is a CA that can be offline and an OCSP responder will be set up using the CLI that answers for this CA.

A basic EJBCA instance that you can use CLI commands on (no CA needed) should be installed prior to performing the following steps.

The order of events are as the workflow above, with an extra step of importing the CA certificate:

  1. Import the CA certificate (of OCSP_CA) as an External CA in the OCSP responder.

  2. Create a Crypto Token and generate the OCSP responders signing key.

  3. Create an OCSP Key Binding, which is the configuration of the OCSP responder answering queries.

  4. Generate a CSR for the OCSP Key Binding, sending the CSR to the External CA and getting a signed OCSP signer certificate back.

  5. Import the OCSP signer certificate and activate the OCSP Key Binding.

Use the following commands and note that the External CA is called OCSP_CA and has DN 'CN=OCSP_CA'.

bin/ejbca.sh ca importcacert OCSP_CA /home/tomas/tmp/OCSP_CA.pem
bin/ejbca.sh cryptotoken create OCSPCryptoToken foo123 true SoftCryptoToken true
bin/ejbca.sh cryptotoken generatekey OCSPCryptoToken ocspsignkey RSA2048
bin/ejbca.sh keybind create OCSP_CA_KeyBinding OcspKeyBinding DISABLED null OCSPCryptoToken ocspsignkey SHA256WithRSA -nonexistingisgood=false -includecertchain=true
bin/ejbca.sh keybind gencsr OCSP_CA_KeyBinding csr.pem
 
(send the csr to OCSP_CA and get signed certificate back)
 
bin/ejbca.sh keybind import OCSP_CA_KeyBinding ocsp.pem
bin/ejbca.sh keybind setstatus OCSP_CA_KeyBinding ACTIVE
 
(now your OCSP key binding is active and can be used to sign OCSP queries)

Test the responder by querying for status of the OCSP signer certificate itself:

openssl ocsp -issuer OCSP_CA.pem -CAfile OCSP_CA.pem -cert ocsp.pem -req_text -url http://localhost:8080/ejbca/publicweb/status/ocsp
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: E4A38A2DB963CAA8EEDFE4FBD396EE1E9B82FC19
Issuer Key Hash: EF9C1460AEEF978FCFD30A3E7B1A2CE0BF36F9AB
Serial Number: 054C3D7EA9E92EA5
Request Extensions:
OCSP Nonce:
0410ED1DFBA35756BBBF033FABB4055166E0
Response verify OK
ocsp.pem: good
This Update: Feb 5 12:58:43 2014 GMT

Get a certificate, received on file (qwe.pem), issued by the OCSP_CA. We can feed certificates, as an allow list, to the responder in many different ways (it's a normal database). But before we import it to the OCSP responder, we can check status, which should be unknown (with the current configuration) when it is not present in the OCSP database.

openssl ocsp -issuer OCSP_CA.pem -CAfile OCSP_CA.pem -cert qwe.pem -req_text -url http://localhost:8080/ejbca/publicweb/status/ocsp
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: E4A38A2DB963CAA8EEDFE4FBD396EE1E9B82FC19
Issuer Key Hash: EF9C1460AEEF978FCFD30A3E7B1A2CE0BF36F9AB
Serial Number: 5033A405556C4C26
Request Extensions:
OCSP Nonce:
0410CF2AA349C1EAF562650CE38FC9AD75B7
Response verify OK
qwe.pem: unknown
This Update: Feb 5 13:00:51 2014 GMT