1

I have vault setup running in container for PKI Secrets Engine and would like to add OCSP support for application to check if certificate is not revoked. I didn’t find any explanation on how to setup OCSP for vault also not clear information in any of the blogs.

In my setup I have configure following for CRL

vault write pki/config/urls \
        issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" \
        crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"

But nothing beyond this for OCSP

Do I need to setup separate service for OSCP or Vault can handle this itself ?

Any help on this to understand OCSP for Vault would be appreciated ?

roy
  • 119
  • 1
  • 2
  • 12

1 Answers1

3

OCSP responder are not handled by Vault. The best you can do is set the URL to some custom OCSP responder calling Vault on the client's behalf with the ocsp_servers parameter in the same API call:

vault write pki/config/urls \
        issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" \
        crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl" \
        ocsp_servers="http://127.0.0.1:8200/v1/pki/ocsp"

These URL are the URL that will be in the certificate. It must make sense for the client, not Vault. In other words, using 127.0.0.1 will never work elsewhere than on your laptop.

Also keep in mind that CRL and OCSP must be accessible over http, not https. In a production configuration, you will/should have Vault reachable over HTTPS only. You might have to put a reverse proxy in front of Vault to offer the CRL and OCSP endpoint.

vault write pki/config/urls \
   issuing_certificates="http://vault.example.com/v1/pki/ca" \
   crl_distribution_points="http://vault.example.com/v1/pki/crl" \
   ocsp_servers="http://vault.example.com/my-custom/ocsp-responder"
ixe013
  • 928
  • 2
  • 7
  • 25