Online Certificate Status Protocol (OCSP) is a protocol used for validation of x509 certificates in a PKI system. Most OCSP implementations ingest certificate revocation lists (CRLs) from Certificate Authorities (CAs), create an internally signed database called a proof set, and then produce OCSP using the proofs.
Questions tagged [ocsp]
63 questions
27
votes
4 answers
How do I check if my SSL certificates have been revoked
The recent discovery of the heartbleed vulnerability has prompted certificate authorities to re-issue certificates.
I have two certificates that were generated before the heartbleed vulnerability was discovered. After the SSL issuer told me to…
sridhar pandurangiah
- 743
- 2
- 11
- 28
27
votes
1 answer
OpenSSL: how to setup an OCSP server for checking third-party certificates?
I am testing the Certificate Revocation functionality of a CMTS device. This requires me to setup a OCSP responder. Since it will only be used for testing I assume that the minimal implementation provided by OpenSSL should suffice.
I have extracted…
StackedCrooked
- 1,317
- 2
- 13
- 22
17
votes
2 answers
OCSP validation - unable to get local issuer certificate
I'm new to setup SSL from the scratch and did my first steps. I bought a SSL cert from RapidSSL for my domain and followed there steps to install the cert.
In general the cert is valid and working on my webserver(nginx v1.4.6 - Ubuntu 14.04.1 LTS),…
kapale
- 405
- 1
- 3
- 8
16
votes
2 answers
Free OCSP server for testing purposes?
Can anyone recommend a free and simple OCSP server for Windows or Linux?
StackedCrooked
- 1,317
- 2
- 13
- 22
13
votes
2 answers
nginx: ssl_stapling_verify: What exactly is being verified?
What exactly does the ssl_stapling_verify directive? Does it check if the signature of the answer is correct? The official nginx documentation is very vague in explaining…
Bratwurstmobil
- 133
- 1
- 5
13
votes
1 answer
OCSP responder not present?
Am trying to set up OCSP validation routines, and so want to be comfortable with the environment first. Found excellent tutorials at for example OpenSSL: Manually verify a certificate against an OCSP.
Multiple questions arise, so please bear with…
Robert Weaver
- 231
- 2
- 3
10
votes
1 answer
Do Postfix and Dovecot support OCSP stapling?
Since I would like to set the "must staple" attribute in my SSL certificates, I was doing some research to find out if all of my services support OCSP stapling. So far I found out, that Apache does which I was able to confirm using SSLLabs.com.
But…
comfreak
- 1,451
- 1
- 21
- 32
7
votes
2 answers
Enabling OCSP stapling on IIS SNI-enabled site
If Require Server Name Indication is checked on the binding of an IIS site, OCSP stapling is disabled for the site.
This is easily confirmed by enabling SNI for a site that currently doesn't require it, and checking using…
franzo
- 223
- 3
- 8
6
votes
1 answer
Can I make Nginx automatically OCSP staple certificates at reload/restart?
Is there a way to make Nginx proactively OCSP staple certificates each time its configuration is reloaded or it is re-started? Alternatively, can Nginx be set to save the stapled certificates across reloads or restarts instead of discarding them?…
Tom Brossman
- 301
- 3
- 12
6
votes
2 answers
Nginx letsencrypt OCSP stappling
I have set up nginx with SSL and letsencrypt certificates. However I am unable to get OCSP stappling to work.
From what I found in the web, it should work with the following configuration, unfortunately it does not. My nginx vhost looks like…
lockdoc
- 241
- 3
- 8
6
votes
1 answer
Are there certain specific host file entries that Windows 2008 will ignore for security purposes?
While troubleshooting a network timeout/connectivity WinHTTP issue, I temporarily added a host file entry for:
127.0.0.1 ctldl.windowsupdate.com
(The server has no internet connection and the firewall was causing some extended timeouts -- I wanted…
Mike B
- 11,570
- 42
- 106
- 165
6
votes
1 answer
How large is the certificate OCSP and CRL cache in my Windows server?
How can I see the size of the in-memory OCSP cache to a CRL cache in my Domain Controllers?
In other words, most Windows process that uses CryptoAPIs have an in-memory cache of every CRL and OCSP relevant for that application. This is important…
makerofthings7
- 8,821
- 28
- 115
- 196
5
votes
1 answer
Online Certificate Status Protocol (OCSP) and Port 80
I had used OCSP stapling in AWS in the past, due to changes on AWS they no longer allow this. This has resulted in having to open a firewall rule to allow outbound HTTP traffic for OCSP from client devices.
For us opening port 80 is not allowed…
Lismore
- 153
- 1
- 1
- 4
5
votes
2 answers
OCSP server suggests trying again later
I am using Firefox to access my site secured with a free StartSSL certificate. I am sending an HSTS header (though now for testing I have it set to 15 seconds!) and I have enabled OCSP stapling.
Yesterday and this morning StartSSL's OCSP responder…
BenjiWiebe
- 277
- 3
- 13
5
votes
1 answer
How to get OpenSSH to use OCSP for revocation
As the title says, is there any (free) library, patch, etc. that allows OpenSSH to be configured to check x.509 certificate revocation via OCSP (online certificate status protocol)? If so, can you please point me to documentation and/or a download…
Laplacian
- 151
- 4