Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [ocsp]

Online Certificate Status Protocol (OCSP) is a protocol used for validation of x509 certificates in a PKI system. Most OCSP implementations ingest certificate revocation lists (CRLs) from Certificate Authorities (CAs), create an internally signed database called a proof set, and then produce OCSP using the proofs.

67 questions
0
votes
1 answer

How to build an OCSP certificate chain for dual-stack RSA + ECC certificates

Nginx lets us use multiple certificates so that we can use both ECC and RSA certificates ssl_certificate /etc/ssl/example.com.combined.crt; ssl_certificate_key /etc/ssl/example.com.key; ssl_certificate…
Synchro
  • 3,148
  • 6
  • 27
  • 38
0
votes
1 answer

StrongswanPKI - Adding status_request or MustStaple TLS extension to certificate?

Using PKI tool from strongswan to setup a CA. Trying to setup the OCSP side of things have run into many issues as per another thread I posted (Strongswan PKI - ED25519 Certifcates - OCSP Responder having issues). Now I am looking at how to add…
shinooni
  • 33
  • 4
0
votes
0 answers

What happens when a CN or Alternative Name in a SAN or UCC ssl certificate no longer resolves to the server?

What happens when a CN or Alternative Name in a SAN or UCC ssl certificate no longer resolves to the server? Are there any problems that can arise from this? The question is general but the specific environment I'm interested in is Linux for web…
Craig
  • 289
  • 2
  • 7
0
votes
1 answer

OCSP Stapling for Thawte certificates does not work

OCSP Stapling does not work for Thawte certificates on Nginx, what could be the problem? Configured Nginx to work with OCSP Stapling. ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /ssl/ssl_trusted_certificate.crt; The…
Dmitry Maslennikov
  • 101
  • 5
0
votes
2 answers

How to Configure Windows Certificate Services not to use AIA and CRL when issuing Certificates

I have a Windows Certificate Service installed on a Windows Server 2008 R2 VM, and what I need to do is to modify certificates NOT to use AIA and CRL, but to ONLY use OCSP Responder. The OCSP is installed on another VM also running Windows Server…
Andy5
  • 145
  • 1
  • 3
  • 10
0
votes
1 answer

Remove specified OCSP responder from certificate

OCSP is brain-damaged and a privacy violation. Is there a way I can remove the specified OCSP responder from a certificate file to prevent my site's visitors from having to suffer it? From what I understand, OCSP stapling would be great if it had…
Boann
  • 148
  • 8
0
votes
1 answer

Does IIS 6.0 Log CRL Checks?

I am adding a 3rd party OCSP responder(Tumbleweed) plugin to IIS 6.0/Windows. I have the 3rd party tool configured to check the revocation status and would like to assert that IIS is not making a duplicate check. Is there a log (other than the IIS…
Kevin
  • 1
  • 1
0
votes
1 answer

Cannot enable OCSP stapling

Windows Server 2022 Apache x64 2.4.57 OpenSSL 3.0.8 My Apache SSL conf has this: SSLUseStapling On SSLStaplingCache "shmcb:${SRVROOT}/logs/ssl_stapling(65536)" SSLStaplingStandardCacheTimeout 3600 SSLStaplingErrorCacheTimeout 600 But…
MonkeyZeus
  • 260
  • 1
  • 12
0
votes
0 answers

Certificate revocation on IIS (CRL and OCSP)

I need to figure out how certificate revocation works on IIS. Certificate we are working with contains both url to CRL and OCSP. As I understand by default IIS uses CRL to verify if certificate is revoked, is that right? if it's true - can I just…
Ash
  • 101
0
votes
0 answers

nftables and OCSP stapling

My apache error log shows: AH01972: could not resolve address of OCSP responder ocsp.usertrust.com Main reason is my server's nftables blocks any requests to the Internet. In my opinion web server not should to initiate any connections to the…
gorek
  • 1
0
votes
1 answer

SSL stapling and variable SSL certificates in NGINX

I have several domains, all of which are served by the same NGINX instance. I am trying to setup a generic server configuration for HTTPS, such that every domain uses its own certificate and has SSL stapling enabled. These settings as defined in…
Michaël van de Weerd
  • 63
  • 7
0
votes
1 answer

Nginx Config file need to be configure

I have generated the certificates as given below: Root-CA -> Intermediate-CA -> Server Root-CA: rootca.key rootca.crt rootca.crl Intermediate-CA: intermediateca.key intermediateca.crt intermediateca.crl Server: server.key server.crt Here,…
soup
  • 76
  • 4
0
votes
0 answers

My server has been physically moved to a new rack with a new IP address, and now I'm getting OCSP errors? Could it be an IPv6 thing maybe?

I'm pretty sure SSL certificates are almost always tied to a domain name rather than an IP address. And the vast majority of my traffic is unaffected, generally things are working well. However, my php error log is now full of a lot of this…
Codemonkey
  • 1,086
  • 4
  • 19
  • 41
0
votes
1 answer

How does OCSP handle deleted certificates?

We have a Microsoft Certificate Authority running on Windows Server 2019. We are issuing certificates to Android devices via a MDM. The Android device users browse to a web application (hosted by Apache, implemented in PHP 8) using the Chrome web…
user2140583
  • 3
  • 1
0
votes
1 answer

Check OCSP on Linux with GET method

I want to verify operation of Microsoft OCSP server from Linux. I tried using OpenSSL, but it always returns: Error querying OCSP responder 140643157128320:error:27076072:OCSP routines:parse_http_line1:server response…
StanTastic
  • 860
  • 1
  • 8
  • 25
1 2 3
4
5