Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [ocsp]

Online Certificate Status Protocol (OCSP) is a protocol used for validation of x509 certificates in a PKI system. Most OCSP implementations ingest certificate revocation lists (CRLs) from Certificate Authorities (CAs), create an internally signed database called a proof set, and then produce OCSP using the proofs.

67 questions
1
vote
1 answer

OCSP Stapling on LAMP with Let's Encrypt

How do I verify if OCSP Stapling works correctly? Setup: LAMP with Let's Encrypt, test domain https://pavelstriz.cz/ High-Tech Bridge result says OCSP is enabled Is this enough for me to believe the OCSP is set up correctly? Thank you.
Vlastimil Burián
  • 499
  • 6
  • 20
1
vote
1 answer

IIS ocsp stapling - no response

I have a certificate that is configured in IIS in windows server 2012 with ocsp_uri. When I test the server for oscp stapling there is no response: openssl s_client -connect example.com:443 -tls1 -tlsextdebug -status OCSP response: no response…
Pedro Custódio
  • 111
  • 5
1
vote
1 answer

Adding OCSP and NDES into existing environment? What can be installed together?

Currently have one offline CA and one Sub Issuing CA that just has the Web Enrollment installed. Looking at also implementing NDES and OCSP. I know the web enrollment can be installed on the Issuing CA as I have it, but what is the best way to…
MikeS
  • 11
  • 1
1
vote
1 answer

How do I set up an OCSP responder for multiple CA certificates?

I want to have one OCSP responder for more than one intermediate CA issuers with OpenSSL. How would I do this? All the examples I see all respond only for one issuer certificate and one OCSP signing certificate issued by that CA. How would I respond…
Vacation9
  • 123
  • 1
  • 1
  • 8
1
vote
1 answer

Free OCSP server

I can't have OCSP with my current OS licensing (2008 R2 Standard) but I need this option. I'm hoping to avoid shelling out an additional $2300. Are there any open source products that could act as an OCSP responder for my existing internal…
Tim Brigham
  • 15,545
  • 10
  • 75
  • 115
1
vote
1 answer

Considerations for certificate revocation for intermittently isolated ad-hoc networks

I'm trying to decide on a certificate revocation strategy for a solution I'm designing (that will utilize Dogtag PKI, per customer request). The obvious choices seem to be using a CRL or using OCSP. I'm trying to understand the practical…
G__
  • 314
  • 2
  • 10
1
vote
1 answer

Nginx revoked Intermediate-CA from Root-CA

The certificates as given below: Root-CA -> Intermediate-CA -> Server If I revoke Intermediate-CA from Root-CA then the Server will automated revoked certificate along with the Intermediate-CA. Now, after revoking Intermediate-CA the Firefox…
soup
  • 76
  • 4
1
vote
1 answer

How to setup the OCSP responder

I have generated the certificates as given below: Root-CA -> Intermediate-CA -> Server Root-CA: rootca.key rootca.crt Intermediate-CA: intermediateca.key intermediateca.crt Server: server.key server.crt My openssl.conf for Server: […
Nacho Taki
  • 21
  • 4
1
vote
0 answers

Nginx OCSP Stapling is Not Working

I have generated the certificates as given below: Root-CA -> Intermediate-CA -> Server Root-CA: rootca.key rootca.crt Intermediate-CA: intermediateca.key intermediateca.crt Server: server.key server.crt My openssl.conf for Server: […
Nacho Taki
  • 21
  • 4
1
vote
0 answers

Windows: CertUtil "Error => Pending OCSP response download"

I am trying to debug why Windows does not accept the responses from my OCSP responder as valid. I am using the command CertUtil -downloadOcsp .\certs .\ocsp_responses downloadonce A single p7b certificate is in the certs directory. I read the log of…
Charlweed
  • 249
  • 3
  • 14
1
vote
1 answer

Windows: How can I diagnose certificate revocation check failure, when I know the OK response is sent?

TL;DR; How to discover what is wrong with OCSP response on Windows? I am trying to install a new certificate in on-premises Exchange Server 2019. But Exchange always reports that the new certificate fails the revocation check and will not use it.…
Charlweed
  • 249
  • 3
  • 14
1
vote
1 answer

OCSP setup for Vault

I have vault setup running in container for PKI Secrets Engine and would like to add OCSP support for application to check if certificate is not revoked. I didn’t find any explanation on how to setup OCSP for vault also not clear information in any…
roy
  • 119
  • 1
  • 2
  • 15
0
votes
1 answer

OCSP client certificate validation

For a home automation project I have created an API (written in ASP.NET so hosted in IIS) and written my own Android app to communicate with this API. To prevent people from accessing specific endpoints in this API, I want to protect the endpoints…
Roel
  • 3
  • 1
0
votes
1 answer

Why am I unable to make OCSP Stapling work with my nginx, libressl on FreeBSD 12.0-STABLE setup?

After hours of trying I have to get help for my issue. I am trying to get OCSP stapling to work with my setup, but am not successful in doing so. Here is my nginx configuration, without any non-relevant bits. user www www; worker_processes…
Cubox
  • 118
  • 1
  • 2
  • 12
0
votes
1 answer

Best approach to tier 2 PKI with multiple subordinates with ADCS

I'm looking for some guidelines toward the best approach to setting up a Tier 2 PKI with ADCS that has 2 subordinate CA's for high availability. I have the following questions regarding this: Is clustering the subordinates the best approach if I…
kevin rennenberg
  • 73
  • 1
  • 13
1 2
3
4 5