Questions tagged [ocsp]
Online Certificate Status Protocol (OCSP) is a protocol used for validation of x509 certificates in a PKI system. Most OCSP implementations ingest certificate revocation lists (CRLs) from Certificate Authorities (CAs), create an internally signed database called a proof set, and then produce OCSP using the proofs.
66 questions
0
votes
0
answers
102
views
Apache2.4, How to disable OCSP?
Am running Apache 2.4 on Windows, with Let's Encrypt certification. Now, in July this year, Let's Encrypt announced intention to remove OCSP Service. Am using mod_md and hppt-01 challenge for ...
- 1
0
votes
1
answer
595
views
Cannot enable OCSP stapling
Windows Server 2022
Apache x64 2.4.57
OpenSSL 3.0.8
My Apache SSL conf has this:
SSLUseStapling On
SSLStaplingCache "shmcb:${SRVROOT}/logs/ssl_stapling(65536)"
...
- 300
1
vote
1
answer
119
views
nftables and OCSP stapling
My apache error log shows:
AH01972: could not resolve address of OCSP responder ocsp.usertrust.com
Main reason is my server's nftables blocks any requests to the Internet.
In my opinion web server ...
- 11
0
votes
1
answer
578
views
SSL stapling and variable SSL certificates in NGINX
I have several domains, all of which are served by the same NGINX instance. I am trying to setup a generic server configuration for HTTPS, such that every domain uses its own certificate and has SSL ...
1
vote
1
answer
207
views
Nginx revoked Intermediate-CA from Root-CA
The certificates as given below:
Root-CA -> Intermediate-CA -> Server
If I revoke Intermediate-CA from Root-CA then the Server will automated revoked certificate along with the Intermediate-...
- 76
4
votes
1
answer
2k
views
Revoked certificate is still valid by Google Chrome and Microsoft Edge
I have generated Self-Signed Certificate, Root-CA Signed by Root-CA
Then, Intermediate-CA Signed by Root-CA and Server Signed by Intermediate-CA
The certificates as given below:
Root-CA -> ...
- 76
0
votes
1
answer
1k
views
Nginx Config file need to be configure
I have generated the certificates as given below:
Root-CA -> Intermediate-CA -> Server
Root-CA:
rootca.key
rootca.crt
rootca.crl
Intermediate-CA:
intermediateca.key
intermediateca.crt
...
- 76
1
vote
1
answer
3k
views
How to setup the OCSP responder
I have generated the certificates as given below:
Root-CA -> Intermediate-CA -> Server
Root-CA:
rootca.key
rootca.crt
Intermediate-CA:
intermediateca.key
intermediateca.crt
Server:
server....
- 21
1
vote
0
answers
922
views
Nginx OCSP Stapling is Not Working
I have generated the certificates as given below:
Root-CA -> Intermediate-CA -> Server
Root-CA:
rootca.key
rootca.crt
Intermediate-CA:
intermediateca.key
intermediateca.crt
Server:
server....
- 21
0
votes
0
answers
243
views
My server has been physically moved to a new rack with a new IP address, and now I'm getting OCSP errors? Could it be an IPv6 thing maybe?
I'm pretty sure SSL certificates are almost always tied to a domain name rather than an IP address. And the vast majority of my traffic is unaffected, generally things are working well.
However, my ...
- 1,178
0
votes
1
answer
378
views
How does OCSP handle deleted certificates?
We have a Microsoft Certificate Authority running on Windows Server 2019. We are issuing certificates to Android devices via a MDM. The Android device users browse to a web application (hosted by ...
0
votes
1
answer
1k
views
Check OCSP on Linux with GET method
I want to verify operation of Microsoft OCSP server from Linux. I tried using OpenSSL, but it always returns:
Error querying OCSP responder 140643157128320:error:27076072:OCSP routines:...
- 930
1
vote
0
answers
357
views
Windows: CertUtil "Error => Pending OCSP response download"
I am trying to debug why Windows does not accept the responses from my OCSP responder as valid. I am using the command
CertUtil -downloadOcsp .\certs .\ocsp_responses downloadonce
A single p7b ...
- 249
1
vote
1
answer
5k
views
Windows: How can I diagnose certificate revocation check failure, when I know the OK response is sent?
TL;DR; How to discover what is wrong with OCSP response on Windows?
I am trying to install a new certificate in on-premises Exchange Server 2019. But Exchange always reports that the new certificate ...
- 249
0
votes
0
answers
536
views
nginx: Rerouting/proxy OCSP request to adifferent backend
I'd like to filter/reroute OCSP traffic from regular HTTP traffic to a different back-end. Reviewing Network Analyses of OCSP protocol, if the OCSP request is via POST, I can filter on Content-Type: ...
- 21
0
votes
0
answers
609
views
OCSP responder on a virtual host of Apache/Nginx
Is it possible to run an OCSP responder openssl ocsp -index ... on an Apache/Nginx virtual host alongside other virtual hosts? So ocsp.example.com or pki.example.com/ocsp/
2
votes
2
answers
3k
views
OCSP setup for Vault
I have vault setup running in container for PKI Secrets Engine and would like to add OCSP support for application to check if certificate is not revoked. I didn’t find any explanation on how to setup ...
- 111
0
votes
2
answers
1k
views
How to check if a letsencrypt certificate has been revoked
I am trying to check if a certificate issued by letsencrypt has been revoked based on this answer:
openssl ocsp -issuer highschoolhelper.org_fullchain.crt -cert highschoolhelper.org_fullchain.crt \...
- 149
0
votes
1
answer
591
views
Apache httpd: How to enable OCSP stapling with mod_md?
I want to enable OCSP stapling with mod_md on my Debian 10 server with Apache httpd. I have enabled the module, and the command MDomain example.org is understood, but the example
<MDomain mydomain....
- 273
1
vote
1
answer
588
views
ADCS PKI - AIA Location when using OCSP
My question is wheter or not I still need to configure the following AIA location on my subordinate CA when I'm using OCSP:
http://SERVERFQN/DIRECTORY/<Serverdnsname>_<Caname><...
1
vote
1
answer
2k
views
"Next Update" is missing from the OCSP response
Overall
I am experimenting to set up a private PKI by using OpenSSL on a box of CentOS 7. Everything works just fine except the issue that the "Next Update" line is missing from the OCSP response.
...
- 15
2
votes
1
answer
7k
views
OCSP Location error in pkiview.msc. But OCSP responders seem to work
I am currently setting up a new internal Windows PKI infrastructure in our organisation, to replace an old setup.
Things are mostly fine, but the OCSP location has the status "Error" in the pkiview ...
- 669
0
votes
1
answer
880
views
OCSP client certificate validation
For a home automation project I have created an API (written in ASP.NET so hosted in IIS) and written my own Android app to communicate with this API. To prevent people from accessing specific ...
- 3
0
votes
1
answer
2k
views
Why am I unable to make OCSP Stapling work with my nginx, libressl on FreeBSD 12.0-STABLE setup?
After hours of trying I have to get help for my issue.
I am trying to get OCSP stapling to work with my setup, but am not successful in doing so.
Here is my nginx configuration, without any non-...
- 118
0
votes
1
answer
4k
views
Best approach to tier 2 PKI with multiple subordinates with ADCS
I'm looking for some guidelines toward the best approach to setting up a Tier 2 PKI with ADCS that has 2 subordinate CA's for high availability. I have the following questions regarding this:
Is ...
2
votes
1
answer
1k
views
Using Apache as Stunnel
I was using stunnel to make an http port into https. However, it doesn't support OCSP stapling, so I decided to use Apache reverse proxy instead. The service I want to make https is on 7231, so I ...
- 131
0
votes
1
answer
781
views
How to build an OCSP certificate chain for dual-stack RSA + ECC certificates
Nginx lets us use multiple certificates so that we can use both ECC and RSA certificates
ssl_certificate /etc/ssl/example.com.combined.crt;
ssl_certificate_key /etc/ssl/example.com.key;
...
- 3,319
0
votes
1
answer
478
views
StrongswanPKI - Adding status_request or MustStaple TLS extension to certificate?
Using PKI tool from strongswan to setup a CA.
Trying to setup the OCSP side of things have run into many issues as per another thread I posted (Strongswan PKI - ED25519 Certifcates - OCSP Responder ...
- 33
1
vote
1
answer
848
views
Strongswan PKI - ED25519 Certifcates - OCSP Responder having issues
I am trying to setup an ocsp for the certificates generated out of strongswan PKI - using it as a CA. If I try to use openssl it just throws out
Can't open index.txt.attr for reading, No such file or ...
- 33
1
vote
1
answer
1k
views
nginx OCSP stapling centos let's encrypt
On centos, but I guess for every OS, I want to make ocsp stapling work in Nginx
ssl_stapling on;
ssl_trusted_certificate ??????;
ssl_stapling_verify on;
what do I define for ...
0
votes
0
answers
161
views
What happens when a CN or Alternative Name in a SAN or UCC ssl certificate no longer resolves to the server?
What happens when a CN or Alternative Name in a SAN or UCC ssl certificate no longer resolves to the server?
Are there any problems that can arise from this?
The question is general but the ...
- 289
1
vote
1
answer
2k
views
OCSP verification fails in Strongswan (IKEv2)
I've managed to set up an IPsec connection between two (virtual) hosts in transport mode and now I want the server to validate the client's certificate with OCSP. In a third host, I've run an OCSP ...
- 111
4
votes
0
answers
7k
views
OCSP responder timed out while requesting certificate status
I'm intermittently seeing errors such as the following in my nginx error logs:
OCSP responder timed out (110: Connection timed out) while requesting certificate status, responder: ocsp.comodoca.com
...
- 2,675
5
votes
1
answer
14k
views
Online Certificate Status Protocol (OCSP) and Port 80
I had used OCSP stapling in AWS in the past, due to changes on AWS they no longer allow this. This has resulted in having to open a firewall rule to allow outbound HTTP traffic for OCSP from client ...
- 153
0
votes
1
answer
365
views
OCSP Stapling for Thawte certificates does not work
OCSP Stapling does not work for Thawte certificates on Nginx, what could be the problem?
Configured Nginx to work with OCSP Stapling.
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate ...
14
votes
2
answers
15k
views
nginx: ssl_stapling_verify: What exactly is being verified?
What exactly does the ssl_stapling_verify directive? Does it check if the signature of the answer is correct? The official nginx documentation is very vague in explaining this:
https://nginx.org/en/...
- 143
10
votes
1
answer
5k
views
Do Postfix and Dovecot support OCSP stapling?
Since I would like to set the "must staple" attribute in my SSL certificates, I was doing some research to find out if all of my services support OCSP stapling. So far I found out, that Apache does ...
- 1,551
6
votes
1
answer
3k
views
Can I make Nginx automatically OCSP staple certificates at reload/restart?
Is there a way to make Nginx proactively OCSP staple certificates each time its configuration is reloaded or it is re-started? Alternatively, can Nginx be set to save the stapled certificates across ...
- 301
3
votes
1
answer
4k
views
OCSP with nginx is unable to get issuer certificate
I am having trouble setting up OCSP on nginx/1.6.2 with a certificate issued by GlobalSign. I read many related posts, but none of the solutions I've found worked. When I connect to the server, OCSP ...
- 41
7
votes
2
answers
9k
views
Enabling OCSP stapling on IIS SNI-enabled site
If Require Server Name Indication is checked on the binding of an IIS site, OCSP stapling is disabled for the site.
This is easily confirmed by enabling SNI for a site that currently doesn't require ...
- 223
2
votes
0
answers
224
views
Trust certificate for OCSP, but not for client certs?
According to the nginx docs, you can specify certificates to be trusted for both OCSP response and client certificate verification:
ssl_trusted_certificate / ssl_client_certificate
Specifies a ...
- 146
-2
votes
1
answer
588
views
Configuring OCSP stapling in NGINX
Should I concatenate all certificates(server + intermediates + root) or just(server + intermediates) for ssl_trusted_certificate directive in NGINX.
- 1,669
1
vote
1
answer
150
views
OCSP Stapling on LAMP with Let's Encrypt
How do I verify if OCSP Stapling works correctly?
Setup: LAMP with Let's Encrypt, test domain https://pavelstriz.cz/
High-Tech Bridge result says OCSP is enabled
Is this enough for me to believe ...
- 509
6
votes
2
answers
3k
views
Nginx letsencrypt OCSP stappling
I have set up nginx with SSL and letsencrypt certificates. However I am unable to get OCSP stappling to work.
From what I found in the web, it should work with the following configuration, ...
- 241
2
votes
2
answers
1k
views
Nginx, SSL and OSCP
I have a problem. When I open my website with https, I see error message in my error.log:
2015/11/03 19:47:21 [error] 7799#0: recv() failed (111: Connection refused) while requesting certificate ...
- 121
3
votes
1
answer
4k
views
OCSP ERROR in ssllabs output
I just renewed my certificate on https://wemarsh.com/ . After I thought I had everything working I did some online SSL tests, just as a routine check that everything is configured properly. Some of ...
- 171
5
votes
2
answers
6k
views
OCSP server suggests trying again later
I am using Firefox to access my site secured with a free StartSSL certificate. I am sending an HSTS header (though now for testing I have it set to 15 seconds!) and I have enabled OCSP stapling.
...
- 277
13
votes
1
answer
8k
views
OCSP responder not present?
Am trying to set up OCSP validation routines, and so want to be comfortable with the environment first. Found excellent tutorials at for example OpenSSL: Manually verify a certificate against an OCSP....
- 231
1
vote
1
answer
2k
views
IIS ocsp stapling - no response
I have a certificate that is configured in IIS in windows server 2012 with ocsp_uri.
When I test the server for oscp stapling there is no response:
openssl s_client -connect example.com:443 -tls1 -...
- 111
-1
votes
1
answer
347
views
Problem with TLS identity not verified
I run a CA server "Microsoft CA Server Enterprise" and I generate certificates then bind the cert to my site. In all clients in my network, I add the cert with
certutil -addstore ca org.cer
When my ...
- 101