OCSP协议允许用户向 OCSP Responder 服务器发起一个请求验证证书是否被撤销。OCSP Responder 根据database(index.txt
)中的内容判断证书是否被撤销。
OCSP的设立条件
- 可以访问database(
index.txt
) - 一个密钥对
服务器证书中必须包含 ocsp 的 url
[ server_cert ]
# ... snipped ...
authorityInfoAccess = OCSP;URI:http://ocsp.example.com
创建密钥对
创建私钥
cd /root/ca
openssl genrsa -aes256 \
-out intermediate/private/ocsp.example.com.key.pem 4096
创建CSR
cd /root/ca
openssl req -config intermediate/openssl.cnf -new -sha256 \
-key intermediate/private/ocsp.example.com.key.pem \
-out intermediate/csr/ocsp.example.com.csr.pem
创建证书并签名
openssl ca -config intermediate/openssl.cnf \
-extensions ocsp -days 375 -notext -md sha256 \
-in intermediate/csr/ocsp.example.com.csr.pem \
-out intermediate/certs/ocsp.example.com.cert.pem
检验密钥对
openssl x509 -noout -text \
-in intermediate/certs/ocsp.example.com.cert.pem
OCSP Responder
用OpenSSL架起一个OCSP Responder服务器
openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
-index intermediate/index.txt \
-CA intermediate/certs/ca-chain.cert.pem \
-rkey intermediate/private/ocsp.example.com.key.pem \
-rsigner intermediate/certs/ocsp.example.com.cert.pem \
-nrequest 1
用OpenSSL向服务器发起一个OCSP请求
openssl ocsp -CAfile intermediate/certs/ca-chain.cert.pem \
-url http://127.0.0.1:2560 -resp_text \
-issuer intermediate/certs/intermediate.cert.pem \
-cert intermediate/certs/test.example.com.cert.pem
撤销证书
openssl ca -config intermediate/openssl.cnf \
-revoke intermediate/certs/test.example.com.cert.pem