1

Overall

I am experimenting to set up a private PKI by using OpenSSL on a box of CentOS 7. Everything works just fine except the issue that the "Next Update" line is missing from the OCSP response.

Systems

  • OS: CentOS 7.6
  • OpenSSL 1.0.2k-fips

Syndromes

When I tested a TLS certificate from this PKI against the OCSP responder locally, I get the following results: 

Response verify OK
certs/abc.com.pem: good
        This Update: Sep 24 18:04:31 2019 GMT

I searched online, a lot of examples there show the Next Update line right under the This Update line in an OCSP response. For instance

openssl ocsp -issuer chain.pem -cert wikipedia.pem -url http://ocsp.digicert.com
wikipedia.pem: good
    This Update: Apr  9 08:45:00 2014 GMT
    Next Update: Apr 16 09:00:00 2014 GMT

This is not a big issue until it comes to be used with HAProxy OCSP stapling. HAProxy OCSP stapling seems not to accept an OCSP response without the "Next Update" line.

Question

Anybody knows why the "Next Update" line is missing from the OCSP response here? How to enable this line to be included in the OCSP response?

I tried on Ubuntu 18.04 LTS with its shipped OpenSSL package and got the same issue.

Thanks!

Insights.AI
  • 15
  • 4

1 Answers1

1

From section 4.2.2.1 of RFC 6960 - X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP:

If nextUpdate is not set, the responder is indicating that newer revocation information is available all the time.

Meanwhile section 2.2.4 of RFC 5019 - The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments says:

nextUpdate

The time at or before which newer information will be available about the status of the certificate. Responders MUST always include this value to aid in response caching.

So it seems that your client expects a lightweight OCSP responder.

A quick look at the OpenSSL OCSP man page shows the following:

-nmin minutes, -ndays days

Number of minutes or days when fresh revocation information is available: used in the nextUpdate field. If neither option is present then the nextUpdate field is omitted meaning fresh revocation information is immediately available.

Try adding -nmin 5 or similar to the command line when you start the OpenSSL OCSP service.

Community
  • 1
garethTheRed
  • 4,539
  • 14
  • 22
  • thanks for the inputs!!! Adding **-nmin 5** to the command of **openssl ocsp** to start the OCSP responder solved the issue. – Insights.AI Sep 24 '19 at 23:32