How to setup the OCSP responder

Question

I have generated the certificates as given below:

Root-CA  ->  Intermediate-CA  ->  Server

Root-CA:
rootca.key
rootca.crt

Intermediate-CA:
intermediateca.key
intermediateca.crt

Server:
server.key
server.crt

My openssl.conf for Server:

[ server_cert ]
authorityInfoAccess = OCSP;URI:http://www.example.com

[ ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

My Nginx conf:

server {
        listen 443 ssl;
        listen [::]:443 SSL;
        server_name www.example.com;

        ssl_certificate  /home/user/conffiles/server+intermediateca.crt;
        ssl_certificate_key /home/user/conffiles/server.key;

        ssl_ocsp on;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /home/user/conffiles/rootca+intermediateca.crt;
}

I am not getting any output with the following command:

echo QUIT | openssl s_client -connect www.example.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

Using the following command:

openssl s_client -connect www.example.com:443 -tls1_2 -tlsextdebug -status

I get the below output:

OCSP response: no response sent

Anyone, can you please tell me how to setup the OCSP responder?

Please help me, I need this bug fixed. I appreciate your time. Thank you.

As you haven't said which vendor's OCSP responder you're planning to use, may I suggest https://stackoverflow.com/questions/68835032/how-to-make-a-ocsp-responder just to get you testing? — garethTheRed, Aug 04 '22 at 06:06

score 1 · Answer 1 · answered Aug 04 '22 at 07:29

How to setup the OCSP responder?

Wikipedia lists several OSCP responder implementations here. Each server will have their own specific installation and configuration instructions.

For testing purposes the openssl ocsp implementation might be a useful light-weight solution.
The manual lists several usage examples including:

OCSP server on port 8888 using a standard ca configuration, and a separate responder certificate. All requests and responses are printed to a file.
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem -text -out log.txt
As above but exit after processing one request:
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem -nrequest 1

How to setup the OCSP responder

1 Answers1