Contents
How do you run OCSP?
Solution
- Locate the OCSP Response Signing Certificate > Properties.
- Security Tab > Add in the server that will be hosting the OCSP service, (I always use the same server that’s serving my CRL).
- Grant the server read and enroll rights > Apply > OK.
- Then issue the OCSP Responder Template.
What is OCSP responder certificate?
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X. 509 digital certificate. The “request/response” nature of these messages leads to OCSP servers being termed OCSP responders. Some web browsers use OCSP to validate HTTPS certificates.
How to check a certificate against an OCSP?
We can retreive this with the following openssl command: Save this output to a file, for example, wikipedia.pem: Now, check if this certificate has an OCSP URI: If it does not give any output, the certificate has no OCSP URI. You cannot valdiate it against an OCSP.
How to enable OCSP stapling on your server?
For information about using OCSP stapling to enhance the OCSP protocol, see Enable OCSP Stapling on Your Server . In the address bar of the browser, to the right of the address, click the lock and then click View certificates . In the Certificate window, click Details, and then, in the Show drop-down list select Extensions Only .
Why do we use OCSP instead of CRLs?
OCSP offers greater efficiencies over CRLs for larger deployments. OCSP servers consume CRLs in order to provide an indication of whether the certificate was revoked – in this model the OCSP must refresh the CRL on a schedule to ensure it is providing up to date revocation information.
What does OCSP do to a network host?
OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so other parties may intercept this information. Consider sponsoring me on Github. It means the world to me if you show your appreciation and you’ll help pay the server costs.