1

I am trying to setup an ocsp for the certificates generated out of strongswan PKI - using it as a CA. If I try to use openssl it just throws out Can't open index.txt.attr for reading, No such file or directory Tried re-doing the certificate line. Still doesn't work. I am just hitting a wall and need some fresh eyes on it.

  1. Is there a way to get strongswan to deploy?

If yes - 1a. How? Can't find any documentation on it. If no - 1b. am I on the right path with OpenSSL?

  1. How do I fix this error message - using strongswan - I can't seem to generate the index.txt

Also this is the command I'm using to try and get this running - openssl ocsp -index index.txt -CA ca.crt.pem -port 43450 -rkey ocsp.key.pem -rsigner ocsp.issuecrt.pem -resp_no_certs -nmin 60 -text

Previously I setup the April 2018 OpenSSL for ed25519 and X25519 algorithm compatibility. Before realising I couldn't get the crl to work. Then started deployment of strongswan for the pki and CA components(installed full strongswan manually through source,configure, make, make test, make install - installing dependency as I found the need. This worked, I got my crl working but now I can't get the ocsp and I have been at this for the better part of 2-3 weeks trying to figure this out and I have a feeling I am just being thick and a PEBKAC user. Hopefully you guys and girls can help. If you need any further information request and I shall edit and provide.

shinooni
  • 33
  • 4

1 Answers1

1

If you used strongSwan's pki tool to create your CA there won't be any index.txt file that OpenSSL needs for it's OCSP server. OpenSSL creates and modifies these index "database" files when issuing/revoking certificates via openssl ca. So if you want to use the OCSP server with certificates that weren't created with that tool, you have to create that file manually.

Thankfully, the index.txt files are simple text files that can be created easily as needed. The files contain the following information for every certificate, one per line, with each field separated by a tab:

  1. Status: Is either "V" (valid), "R" (revoked) or "E" (expired)
  2. Expiration date/time in UTC (the format is YYMMDDHHMMSSZ)
  3. Revocation date/time (same format as above, empty for valid or expired certificates) and optional reason (comma separated, e.g. "superseded" or "keyCompromise")
  4. Hexadecimal serial number of the certificate
  5. File name of the certificate (OpenSSL does not seem to use it and sets it to "unknown"), may also be empty
  6. Subject DN of the certificate (slashes separate the RDNs), optional

If you have a valid certificate, you can generate an entry for the index.txt file with the following bash script (pass the path to the PEM-encoded certificate as first argument to the script):

#!/bin/bash

crt=$1
exp=$(date -d "$(openssl x509 -enddate -noout -in $crt | cut -d= -f 2)" +"%y%m%d%H%M%SZ")
ser=$(openssl x509 -serial -noout -in $crt | cut -d= -f 2)
sub=$(openssl x509 -subject -noout -in $crt | cut -d= -f 2- | cut -d' ' -f 2-)
echo -e "V\t$exp\t\t$ser\tunknown\t$sub"

To revoke a certificate you can manually change the V to R and add the date and (optional) reason in the third column e.g. generated with $(date +"%y%m%d%H%M%SZ,keyCompromise"). Theoretically, you could also use openssl ca for it (and also use openssl ca updatedb to mark expired certificates), but that requires setting up an appropriate config file. If you didn't want to manage your CA with OpenSSL in the first place this might be overkill.

Also note that in comparison to a CRL you have to list all certificates in the file as openssl ocsp won't reply with status 'good' if it doesn't find a valid entry for the certificate's serial number.

ecdsa
  • 3,973
  • 15
  • 29
  • I will test the solution over the weekend however when you said custom config how would I get ca command to work with ed25519\x25519 – shinooni Apr 27 '18 at 03:49
  • If your version of OpenSSL doesn't support it, you can't directly, as the `openssl ca -revoke` (or `-updatedb`) command will try to load the CA's private key and fail. So you have to either modify index.txt manually to revoke or mark expired certificates, or you create a dummy key/certificate (with a supported key type like RSA) that you don't actually use for anything else but to satisfy the `ca` command. This works because the private key and certificate are not actually used for the `-revoke` and `-updatedb` commands, so it doesn't matter if they aren't the actual CA's key/certificate. – ecdsa Apr 27 '18 at 07:04
  • Okay now im struggling to get it to reflect the OCSP URI's in strongswan i have add it to ipsec conf and swanctl. Just can't seem to get it to reflect any ideas that would be awesome. – shinooni Apr 30 '18 at 12:14
  • What do you mean with "reflect the OCSP URI"? – ecdsa Apr 30 '18 at 13:20
  • When using pki --print --in cert.pem shouldn't it display ocsp Uri in output like when you add a crl Uri? – shinooni Apr 30 '18 at 22:49
  • Yes, if you added the URI to the certificate when you issued it with `pki --issue` (with the `--ocsp` option) then you should also see it in the output of `pki --print`. However, if you configured the OCSP URI only in a `ca` section (ipsec.conf) or an `authorities` sub-section (swanctl.conf) then you wouldn't see it there as these settings are only relevant for the IKE daemon not for PKI. – ecdsa May 01 '18 at 07:45
  • Ahhhh I see - See as I stated in the original issue PEBKAC on my end. Thank you so much. This has been stopping a personal project of mine for so goddamn long. – shinooni May 01 '18 at 08:52