« Services/OCSP » : différence entre les versions

Introduction

Online Certificate Status Protocol(OCSP ou en français protocole de vérification en ligne de certificat) est un protocole Internet utilisé pour valider un certificat numérique X.509. OCSP est standardisé par l'IETF dans la RFC 2560.

Ce protocole est une alternative réglant certains des problèmes posés par les liste de révocation de certificats (CRL) dans une infrastructure à clés publiques (PKI). Les messages OCSP sont codés en ASN.1 et peuvent être transportés par différents protocoles applicatifs (SMTP, LDAP, HTTP, etc.). Les communications OCSP étant de la forme « requête/réponse », les serveurs OCSP sont appelés répondeurs OCSP.

Centralisation de la validation des certificats

La validation des certificats est une tâche plus complexe qu'il n'y paraît. Elle est traditionnellement effectuée par le client de la PKI. Une grande confiance est ainsi accordée au client pour ce traitement critique. Or une grande partie des clients PKI effectuent leur validation de manière encore incomplète ou imparfaite (en 2006). Par exemple, la non-automatisation de la récupération des CRL des navigateurs web pose un problème quant à la mise à jour des informations.

OCSP permet de centraliser cette tâche au sein d'une PKI. Afin de valider un certificat, le client n'a plus à communiquer qu'avec une seule entité : le répondeur OCSP. On peut parler aussi d'autorité de validation (VA pour Modèle:Lang).

Avantage par rapport aux CRL

Plusieurs raisons peuvent amener à préférer le protocole OCSP aux traditionnelles CRL.

• OCSP fournit des informations sur le statut du certificat plus à jour.
• Avec OCSP, le client n'a plus besoin de récupérer lui-même la CRL. Vue la taille parfois importante de cette CRL, cela allège le trafic réseau.
• Le client n'a plus à traiter lui-même la CRL. Cela permet l'économie d'un traitement relativement complexe.
• Le répondeur OCSP permet de proposer des mécanismes de facturation au vendeur, et non pas à l'acheteur
• Les CRL peuvent être comparées à une "liste de mauvais clients" d'une banque. Cela constitue une fuite d'information non souhaitable.

Autres avantages

OCSP présente d'autres avantages en termes de déploiement des clients et d'architecture réseau.

• C'est le répondeur OCSP qui récupère les différents certificats constitutifs d'une chaîne de certificats et les CRL. Cela simplifie les communications, car le client ne dispose pas forcément de la connectivité nécessaire à leur récupération (filtrage par un pare-feu, etc.).
• Le répondeur OCSP valide la remontée du chemin de certification. Le client fait donc l'économie de cet autre traitement consommateur en ressources.
• Grâce au chaînage des répondeurs OCSP, le client ne communique qu'avec un seul répondeur, digne de confiance. Cela épargne au client des communications plus complexes.

Exemple d'utilisation

1. Alice et Bob sont des clients d'Ivan, l'autorité de certification (AC). Ils possèdent le certificat de clé publique d'Ivan.
2. Alice et Bob possèdent chacun un certificat de clé publique émis par Ivan.
3. Alice veut effectuer une transaction avec Bob. Elle lui envoie donc son certificat contenant sa clé publique.
4. Bob veut s'assurer que le certificat d'Alice n'a pas été révoqué. Il crée une requête OCSP contenant l'empreinte du certificat d'Alice et l'envoie à Ivan.
5. Le répondeur OCSP d'Ivan vérifie le statut du certificat d'Alice dans la base de données de la CA.
6. Le répondeur OCSP confirme la validité du certificat d'Alice en envoyant une réponse OCSP positive signée à Bob.
7. Bob vérifie la signature cryptographique de la réponse.
8. Bob effectue sa transaction avec Alice.

Concept de fonctionnement

Ce schéma illustre comment la requête OCSP est formée et envoyée vers le serveur OCSP:

Ce schéma illustre comment la réponse OCSP est formée et envoyée vers le client OCSP: La réponse peut être: GOOD - REVOKED - UNKNOWN

Liens externes

• Société spécialisée dans la validation / Axway
• Société spécialisée dans la validation / Corestreet
• Navigateur compatible OCSP: Mozilla Firefox

Mise en œuvre d'un client OCSP pour Apache / HES Geneva & e-Xpert Solutions

• Implementing Online Certificate Status Protocol / Tirthankar Barari

Alternatif à OCSP: le protocole SCVP

• Internet-Drafts
• Spécifications du standard

Il existe un projet libre de répondeur OCSP , qui est inclus dans l’excellentissime projet OpenCA :

http://www.openca.org/projects/ocspd/

Commencons donc par télécharger les sources ICI (dernière version disponible, la 1.5.1-rc1).

Installation

L’installation est des plus basiques :

# yum install ocspd

Un groupe et un user dédié est créé et on affecte les droits :

Avec votre système de PKI préférée, générer un certificat publique et un certificat privé pour votre serveur OCSP. (attention au hostname, dans mon cas, ocsp.guiguiabloc.fr)

Copier les, ainsi que votre certificat CA, dans <path>/etc/ocspd/certs/</path>

Il ne reste qu’a configurer votre répondeur :

Fichier <path>/etc/ocspd/ocspd.conf</path>

# OCSPd example configuration file.
# (c) 2001 by Massimiliano Pala - OpenCA Project.
# All rights reserved

[ ocspd ]
default_ocspd   = OCSPD_default         # The default ocspd section

####################################################################
[ OCSPD_default ]

dir              = /etc/ocspd   # Where everything is kept
md               = sha1

ocspd_certificate = $dir/certs/ocspd_cert.pem   # The OCSP server cert
ocspd_key         = $dir/private/ocspd_key.pem  # The OCSP server key
pidfile           = /var/run/ocspd.pid          # Main process pid

# User and Group the server will run as. It is a good idea
# not having servers running as root: in case of errors in
# the code providing an 'illegal' access method for an attacker
# it is better not to give him additional advantages.
user                    = ocspd
group                   = ocspd

# Bind to a specific address. This option is useful if you need
# to listen only on one IP among the availables ones.
bind                    = *

# Port where the server will listen for incoming requests.
port                    = 2560

# Max size of accepted requests. Data connection will be closed
# in case this size will be reached.
max_req_size            = 8192

# Number of threads that shall be created at startup time, the
# more threads, the better for handling very high traffic. We
# expect to have better performances on multi-threaded machines
# and processors.
threads_num             = 150

# Size of the system listen() queue. This allows buffering connection
# requests for later processing when all threads are already busy.
#max_client_num         = 30

# Max timeout for request receiving. If a request is not received
# within the specified number of seconds then the socket is closed
# in order to free unused threads. If not set, the default value
# is 5 seconds
max_timeout_secs        = 5

# Chroot the application into the specified directory, whatch
# out because if you chroot the application, all the paths
# should be relative to the new root for CRL reloading or
# (better solution) you have to download the CRLs from HTTP or
# LDAP. If you chroot and you do not provide support for
# privileges dropping, privileges will not be dropped and an
# error will be written in the logfile, but the server will
# continue to run assuming the chroot() is sufficiently isolated
# to prevent abuse of the machine.
#chroot_dir             = /usr

# Auto Reload interval of CRL (if set to 0 or not present, to
# reload the CRL you'll need to send a SIGHUP (kill -1 <pid>)
# to the parent process (seconds)
crl_auto_reload = 3600

# Check CRL validity period. If this parameter is set to #n
# then the CRL is checked every #n secs and if the CRL's validity
# period is expired then all the responses will be set to
# 'unknown'.
# If 'crl_check_validity' is set to '0' or it is absent, all
# responses will be based on the loaded CRL, no matter if it
# is expired or not.
crl_check_validity = 600

# Reload CRL if the one loaded is expired. Set this parameter
# only if you are sure that the new CRL will be issued and put
# in the crl_url.
#crl_reload_expired = yes

# Specifies the response section to load the server options
# from
response        = ocsp_response

# It specifies the section to be used where options about where
# CRL and certificates are kept.
#
# Example section using LDAP for data retrieval
# dbms          = dbms_ldap
#
# Example section using FILES for data retrieval
dbms            = dbms_file

# Enables the ENGINE interface for the server. If set to off then
# no support for ENGINE is loaded. If set to anything but 'off' the
# value must correspond to a section in this configuration file.
# Currently only LunaCA3, LunaSA are directly supported. If you need
# support for other HSM write to the authors.
#
# IMPORTANT NOTE: in case of usage with engine support enabled, put
# the private key ID - look at the HSM documentation - into the
# 'ocspd_key' field above in this file
engine = HSM

####################################################################
[ ocsp_response ]
dir                     = /etc/ocspd

# It is possible to include additional certificates in given
# responses. Put all the certificates you want to include in
# the file pointed by 'ocsp_add_responses_certs', concatenated
# one after the other.
#
# Comment this option if you don't want to add certificates
# to responses.
ocsp_add_response_certs = $dir/certs/chain_certs.pem

# Set this option if you want to include the KeyID. If you are
# unsure about this setting, use 'yes'.
ocsp_add_response_keyid = yes

# next_update_days and next_update_mins allows to specify in
# each response when new revocation data will be available.
# If the two options are both set to '0' the 'nextUpdate' field
# in the OCSP response will be left NULL indicating new data
# can be made available anytime (this is true if you are issuing
# new CRLs every time a revocation takes place)
#
# NOTE: Firefox/Mozilla do not parse correctly the OCSP answer in
# case the nextUpdate field is missing. It is therefore suggested
# to use the next_update_mins set (e.g. 5 minutes) to have mozilla's
# software correclty work with OCSP enabled.
next_update_days        = 0
next_update_mins        = 5


####################################################################
[ dbms_ldap ]

0.ca = @ldap_ca_1

[ ldap_ca_1 ]
# You can have the CRL on a simple file
# crl_url = file:///etc/ocspd/crls/crl.pem

# You can have the CRL retrieved from an HTTP server
# crl_url = http://[user[:pwd]@]server[:port]/path_to_crl

# You can store the CRL into an LDAP server, simply
# store it in certificateRevocationList;binary attribute
#
# There are different way, all legal, to specify the CRL
# URL address:
# crl_url = ldap://[user[:pwd]@]ldap.server.org[:389]
# crl_url = ldap://ldap.server.org:389
crl_url = ldap://localhost

# The CRL entry DN is the DN to look for when retrieving the
# date from the LDAP server. Put here the complete DN (usually
# the DN of the CA's certificate).
#
# This option is needed only if the CRL is stored on LDAP
crl_entry_dn = "cn=Certification Auth, o=Organization, c=IT"

# To retrieve the CRL from LDAP the attribute where it is stored is to
# be specified. Usually this should be set to:
#
#     certificateRevocationList;binary
#
# anyway existing LDAP installations or new standards can mandate
# for different attributes for storing CRLs into. Use this parameter
# to specify the attribute used to retrieve the CRL from.
#
# This option is needed only if the CRL is stored on LDAP
crl_entry_attribute = "certificateRevocationList;binary"

# We need the CA certificate for every CA we support. Upon loading
# the CRL and the CA certificate a simple check is made to ensure
# the CRL/CA certificate matching. Also the CA certificate is used
# to retrieve the CID used to identify the certificate being
# requested by the client (CID of the Issuer + serial Number).
# 
# DN where the cACertificate;binary value can be downloaded
# This option is needed only if the CA Certificate is stored on LDAP
ca_entry_dn = "o=Organisation, c=IT"


####################################################################
[ dbms_file ]

# We can have as many CAs supported as we want, each CRL will be
# loaded and stored upon server starting
0.ca = @first_ca
#1.ca = @second_ca

####################################################################
[ first_ca ]

# You can have the CRL on a simple file in PEM format
crl_url = file:///etc/ocspd/crls/crl_01.pem

# We need the CA certificate for every supported CRL
ca_url  = file:///etc/ocspd/certs/1st_cacert.pem

####################################################################
[ second_ca ]

# You can have the CRL on a simple file in PEM format
crl_url = file:///etc/ocspd/crls/crl_02.pem

# We need the CA certificate for every supported CRL
ca_url  = file:///etc/ocspd/certs/2nd_cacert.pem

####################################################################
[ HSM ]

# Setup parameters for basic lunaCA3/LunaSA crypto hardware.

# Specifies the ENGINE id to be used - check OpenSSL and your HSM
# vendor to get more info about this parameter.
engine_id = LunaCA3

# Some HSM need initialisation before access to the crypto accelerated
# functions is granted. It is possible, by using the 'engine_pre' options
# to issue needed commands directly to the HSM.
#
# The format is as follows:
#    0.engine_pre = cmd:values
#    1.engine_pre = cmd2:values
#    ...
# It is possible to have as many commands as needed.
# The following command is for LunaCA3/LunaSA. It forces the vendor's
# library to use '/etc/my_conf_file' as configuration file (check the
# HSM documentation about this file contents.
#0.engine_pre = CONF_PATH:/etc/my_conf_file

# The following is for LunaCA3/LunaSA where the command is 'login' and
# the value is "1:10:11:myPassword" which indicates to use Slot 1,
# high application id 10, low app id 11 and password "myPassword"
0.engine_pre = login:1:10:11:myPassword

# Some HSMs need to perform commands after the ENGINE initialisation
# which are taken from the 'engine_post' option. Usage and format
# is exactly the same as 'engine_pre', the difference is that commands
# are sent to the HSM after the ENGINE_init() function. Refer to your
# HSM documentation for more informations
# 0.engine_post = logout:1:10:11

[ ocspd ]
default_ocspd   = OCSPD_default         # The default ocspd section
 
####################################################################
[ OCSPD_default ]
 
dir              = /opt/ocspd/etc/ocspd         # Where everything is kept
db               = $dir/index.txt               # database index file.
md               = sha1
 
ca_certificate    = $dir/certs/CA_Guiguiabloc-cert.pem      # The CA certificate
ocspd_certificate = $dir/certs/ocsp-cert.crt    # The OCSP server cert
ocspd_key         = $dir/certs/ocsp-key.pem   # The OCSP server key
pidfile           = $dir/ocspd.pid              # Main process pid
 
user                    = ocspd
group                   = ocspd
 
bind                    = 192.168.1.1 (l'ip sur laquelle écouter ou * pour toutes les interfaces)
port                    = 2560
crl_auto_reload = 3600
crl_reload_expired = yes
response        = ocsp_response
 
....
 
[ ocsp_response ]
dir                     = /opt/ocspd/etc/ocspd
ocsp_add_response_keyid = yes
 
...
 
[ first_ca ]
 
crl_url = file:////opt/ocspd/etc/ocspd/crls/crl-Guiguiabloc.pem (la liste de révocation de certificat)
ca_url  = file:////opt/ocspd/etc/ocspd/certs/CA_Guiguiabloc-cert.pem

Je vous laisse consulter le fichier conf en entier pour en comprendre le contenu et le modifier suivant vos besoins, mais la configuration ci-dessous, très simple, fonctionne pour un premier test.

Ne reste qu’a lancer le démon et vérifier le syslog :

Test

# ocspd -c /etc/ocspd/ocspd.conf -v &

Jan  5 14:56:15 pki ocspd[22154]: OpenCA OCSPD v1.5.1 - starting.
Jan  5 14:56:15 pki ocspd[22154]: reading certificate file (/opt/ocspd/etc/ocspd/certs/ocsp-cer
t.crt).
Jan  5 14:56:15 pki ocspd[22154]: Reading Private Key file /opt/ocspd/etc/ocspd/private/ocsp-ke
y.pem
Jan  5 14:56:15 pki ocspd[22154]: reading CA certificate file.
Jan  5 14:56:15 pki ocspd[22154]: OCSP Daemon setup completed
Jan  5 14:56:15 pki ocspd[22154]: variable lookup failed for OCSPD_default::chroot_dir
Jan  5 14:56:15 pki ocspd[22154]: Auto CRL reload every 3600 secs
Jan  5 14:56:15 pki ocspd[22154]: Reload on expired CRLs enabled
Jan  5 14:56:15 pki ocspd[22154]: Number of CAs in configuration is 1
Jan  5 14:56:15 pki ocspd[22154]: INFO::FORMAT::CA Cert [//opt/ocspd/etc/ocspd/certs/CA_Guiguiabloc-cert.pem] is PEM formatted
Jan  5 14:56:15 pki ocspd[22154]: CA CERT for first_ca loaded successfully.
Jan  5 14:56:15 pki ocspd[22154]: CA List Entry added (CA list num 0)
Jan  5 14:56:15 pki ocspd[22154]: INFO::CRL RELOAD::File Protocol
Jan  5 14:56:15 pki ocspd[22154]: INFO::FILE::CRL is in PEM format
Jan  5 14:56:15 pki ocspd[22154]: CRL loaded [ first_ca ]
Jan  5 14:56:15 pki ocspd[22154]: CRL and CA cert [0:1] check ok
Jan  5 14:56:15 pki ocspd[22154]: CRL matching CA cert ok [ 1 ]
Jan  5 14:56:15 pki ocspd[22154]: INFO::CRL::Verify 1 [OK=1]
Jan  5 14:56:15 pki ocspd[22154]: INFO::CRL is Valid
Jan  5 14:56:15 pki ocspd[22154]: INFO::CRL::16 Entries [ first_ca ]
Jan  5 14:56:15 pki ocspd[22154]: CRL loaded successfully [first_ca]
Jan  5 14:56:15 pki ocspd[22154]: variable lookup failed for ocsp_response::ocsp_add_response_c
erts
Jan  5 14:56:15 pki ocspd[22154]: variable lookup failed for OCSPD_default::crl_check_validity
Jan  5 14:56:15 pki ocspd[22154]: Configuration loaded and parsed
Jan  5 14:56:15 pki ocspd[22154]: INFO::Local Address 192.168.1.1 [2560]
Jan  5 14:56:15 pki ocspd[22154]: INFO::OPENCA_SRV_INFO_TREAD::new thread created

Bien évidemment, vous fournissez au répondeur OCSP, la Liste de révocation des certificats (fichier CRL) et la database (index.txt). Si vous utilisez easyCA, ils sont générés sous $DIR et $DIR/crl par défaut (voir votre fichier openssl.cnf).

Et maintenant, interrogeons le serveur OCSP pour savoir si mon Certificat (ici webmail.guiguiabloc.fr) est encore valable :

pki:# openssl ocsp -issuer CA_Guiguiabloc-cert.pem -CAfile CA_Guiguiabloc-cert.pem -cert webmail.guiguiabloc.fr.crt -url http://192.168.1.1:2560 -text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 4A694097441CA470D697E82AF367D1F196B59680
          Issuer Key Hash: 6490C296FF639D9B75A899E2DB29DC7DA42EE38D
          Serial Number: 13
    Request Extensions:
        OCSP Nonce:
            0410DDDA8DFEF460BA0C13ACCEBE7CDFDCB9
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = FR, ST = Bretagne, O = Guiguiabloc, OU = Guiguiabloc, CN = ocsp.guiguiabloc.fr, emailAddress = pki@guiguiabloc.fr
    Produced At: Jan  5 14:21:40 2009 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 4A694097441CA470D697E82AF367D1F196B59680
      Issuer Key Hash: 6490C296FF639D9B75A899E2DB29DC7DA42EE38D
      Serial Number: 13
    Cert Status: good
    This Update: Jan  5 14:16:51 2009 GMT
    Next Update: Jan  5 14:26:40 2009 GMT
 
    Response Extensions:
        OCSP Nonce:
            0410DDDA8DFEF460BA0C13ACCEBE7CDFDCB9
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16 (0x10)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=FR, ST=Bretagne, L=Brest, O=Guiguiabloc, OU=Guiguiabloc, CN=Guiguiabloc CA Authority/emailAddress=pki@guiguiabloc.fr
        Validity
            Not Before: Jul 18 08:08:25 2008 GMT
            Not After : Jul 17 08:08:25 2013 GMT
        Subject: C=FR, ST=Bretagne, O=Guiguiabloc, OU=Guiguiabloc, CN=ocsp.guiguiabloc.fr/emailAddress=pki@guiguiabloc.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:bb:c8:c3:c0:78:26:88:8c:45:6c:2a:1b:88:fd:
                    71:57:c0:bb:23:e1:1e:40:86:d2:94:af:fc:e7:74:
                    41:3d:41:39:ac:a6:51:dc:4d:e8:80:53:a3:73:5d:
                    74:0e:1f:04:b1:78:dc:ad:45:65:5b:4f:0e:b2:92:
                    3c:bc:64:bb:3e:70:2c:ca:b8:ea:dc:fc:33:31:01:
                    d2:05:b2:e2:60:0c:d2:a6:c1:e9:83:b0:ca:d9:42:
                    98:44:8b:c3:df:63:dc:17:02:51:b6:f2:da:0e:c6:
                    81:fa:78:1c:d2:ca:56:52:f3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature
            X509v3 Extended Key Usage:
                OCSP Signing
            X509v3 Issuer Alternative Name:
 
            X509v3 Subject Key Identifier:
                1A:18:4A:7A:BC:DB:3E:CD:60:87:0B:A3:11:4D:4F:E6:CE:19:17:27
            X509v3 Authority Key Identifier:
                keyid:64:90:C2:96:FF:63:9D:9B:75:A8:99:E2:DB:29:DC:7D:A4:2E:E3:8D
                DirName:/C=FR/ST=Bretagne/L=Brest/O=GuiGuiabloc/OU=Guiguiabloc/CN=Guiguiabloc CA Authority/emailAddress=pki@guiguiabloc.fr
                serial:B9:0E:D5:3E:0F:DA:79:FF
 
            Authority Information Access:
                OCSP - URI:http://ocsp.guiguiabloc.fr/
 
    Signature Algorithm: md5WithRSAEncryption
        0c:3a:3f:79:7e:e4:21:be:1b:d1:d4:ef:8f:1d:33:af:f2:88:
        eb:0f:40:cb:24:50:9b:47:cc:61:e2:a9:a3:6e:c5:4f:2a:7c:
        b5:03:f1:a1:b8:b7:23:c7:e1:00:61:3a:c0:7c:8f:c6:2f:c7:
        6a:c9:98:ad:af:ff:28:db:c6:1f:17:d3:54:f3:d7:1a:96:51:
        19:04:6c:f8:92:74:70:de:54:c1:55:d3:9d:27:99:8b:09:be:
        98:27:e6:5b:1e:14:a2:a9:d2:cb:a2:d7:52:8a:e1:ac:9b:a7:
        52:a2:5b:90:dc:cc:8f:33:4b:7a:99:60:4d:5e:b9:e6:71:ed:
        be:92
-----BEGIN CERTIFICATE-----
MIID/DCCA2WgAwIBAgIBEDANBgkqhkiG9w0BAQQFADCBnDELMAkGA1UEBhMCRlIx
ETAPBgNVBAgTCEJyZXRhZ25lMQ4wDAYDVQQHEwVCcmVzdDEVMBMGA1UEChMMU3R5
eCBOZXR3b3JrMRAwDgYDVQQLEwdTdHl4bmV0MSIwIAYDVQQDExlTdHl4IE5ldHdv
cmsgQ0EgQXV0aG9yaXR5MR0wGwYJKoZIhvcNAQkBFg5wa2lAc3R5eG5ldC5mcjAe
Fw0wODA3MTgwODA4MjVaFw0xMzA3MTcwODA4MjVaMIGCMQswCQYDVQQGEwJGUjER
MA8GA1UECBMIQnJldGFnbmUxFTATBgNVBAoTDFN0eXggTmV0d29yazEQMA4GA1UE
CxMHU3R5eG5ldDEYMBYGA1UEAxMPb2NzcC5zdHl4bmV0LmZyMR0wGwYJKoZIhvcN
AQkBFg5wa2lAc3R5eG5ldC5mcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
psHpg7DK2UKYRIvD32PcFwJRtvLaDsaB+ngc0spWUvMCAwEAAaOCAWQwggFgMAkG
A1UdEwQCMAAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMAkGA1Ud
EgQCMAAwHQYDVR0OBBYEFBoYSnq82z7NYIcLoxFNT+bOGRcnMIHRBgNVHSMEgckw
gcaAFGSQwpb/Y52bdaiZ4tsp3H2kLuONoYGipIGfMIGcMQswCQYDVQQGEwJGUjER
MA8GA1UECBMIQnJldGFnbmUxDjAMBgNVBAcTBUJyZXN0MRUwEwYDVQQKEwxTdHl4
IE5ldHdvcmsxEDAOBgNVBAsTB1N0eXhuZXQxIjAgBgNVBAMTGVN0eXggTmV0d29y
ayBDQSBBdXRob3JpdHkxHTAbBgkqhkiG9w0BCQEWDnBraUBzdHl4bmV0LmZyggkA
uQ7VPg/aef8wMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2Nz
cC5zdHl4bmV0LmZyLzANBgkqhkiG9w0BAQQFAAOBgQAMOj95fuQhvhvR1O+PHTOv
8ojrD0DLJFCbR8xh4qmjbsVPKny1A/GhuLcjx+EAYTrAfI/GL8dqyZitr/8o28Yf
F9NU89callEZBGz4knRw3lTBVdOdJ5mLCb6YJ+ZbHhSiqdLLotdSiuGsm6dSoluQ
3MyPM0t6mWBNXrnmce2+kg==
-----END CERTIFICATE-----
Response verify OK
webmail.guiguiabloc.fr.crt: good

Réponse : GOOD tout va bien :-)

La réponse peut être: GOOD – REVOKED – UNKNOWN

Vous pouvez inclure directement dans votre certificat l’adresse de votre répondeur OCSP en ajoutant des extensions à votre openssl.cnf :

[OCSP]
 
basicConstraints        = CA:FALSE
keyUsage                = digitalSignature
extendedKeyUsage        = OCSPSigning
issuerAltName           = issuer:copy
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
authorityInfoAccess     = OCSP;URI:http://ocsp.guiguiabloc.fr/
 
[SERVEUR_OCSP]
nsComment                       = "Guiguiabloc Certificate"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always
issuerAltName                   = issuer:copy
basicConstraints                = critical,CA:FALSE
keyUsage                        = digitalSignature, nonRepudiation, keyEncipherment
nsCertType                      = server
extendedKeyUsage                = serverAuth
authorityInfoAccess             = OCSP;URI:http://ocsp.guiguiabloc.fr/
 
[CLIENT_OCSP]
nsComment                       = "Certificat Client SSL"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always
issuerAltName                   = issuer:copy
basicConstraints                = critical,CA:FALSE
keyUsage                        = digitalSignature, nonRepudiation
nsCertType                      = client
extendedKeyUsage                = clientAuth
authorityInfoAccess             = OCSP;URI:http://ocsp.guiguiabloc.fr/

Puis d’invoquer l’extension lors de la création du certificat avec openssl (-extensions CLIENT_OCSP (par exemple).

Firefox

Dans Firefox, pour configurer l’interrogation automatique du répondeur OCSP, allez dans Outils/Options/Avance/Chiffrement et cliquez sur “Vérification”.