Collaborate Disseminate
I have a PEM file that encodes a site’s leaf certificate. I’d like to check it hasn’t been revoked by querying the relevant OCSP server but I don’t know which URL to use.
How can I extract the OCSP URL from the certificate?
… Continue reading How can I figure out which OCSP URL should be used for a certificate with OpenSSL?
My primitive understanding of OCSP is that:
Assertions are signed by the CA and valid for a short period.
Stapling refers to the practice of pushing the OCSP request work onto the webserver, and then caching the (CA signed)… Continue reading Should webservers staple unsuccessful OCSP responses?
Background: I’m designing a system that relies on certificates where I run my own root CA. As devices may get compromised, I need an option to revoke certificates. I’m currently evaluating whether to use CRLs or OCSP. Both do… Continue reading Recover from OCSP host compromise
im doing a research about Cyber Security future and i have been wondering , A lot of people are recommending CISSP certificate because its the most demanded cert. in the Cyber Security field today , but also , OSCP certificat… Continue reading CISSP vs OSCP vs GIAC (GPEN)? [on hold]
How to generate CSR with OCSP Must Staple extension via OpenSSL ?
How to generate CSR with OCSP Must Staple extension via OpenSSL ?
I am currently defining a PKI for code signing certificates on an embedded device (without internet connection). I define the behavior of the certificate issuer(FW release authority) as well as the FW code which will authenti… Continue reading What’s the common strategy for issuing OCSP requests
My question is about this image. Suppose that client is Alice and Server is Bob.
So, basically, I’m trying to setup a scenario… I have a remote Server (Bob) that has an https website. I make: openssl s_client -connect … Continue reading OCSP doubts about CA and OCSP Responder
I have successfully operating OpenSSL OCSP responder with this hierarchy:
RootCA > OCSP responder (signed by RootCA).
I have deployed a trustpoint (named RootCA) into the ASA with RootCA public key. So I expect that ASA will be trust to OCSP, because it’s trusts to RootCA which signed OCSP sign key. But seems it is not. Due to VPN client connection I have
CRYPTO_PKI: Blocking chain callback called for OCSP response <…> status: 2
debug message, which indicating a problem with certificate signer, according to BRKSEC-3053
https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKSEC-3053.pdf
So, I did import the OCSP key into separate trustpoint (named OCSP) and did create a certificate map with overriding OCSP rule. The revocation check hierarchy now looks like this:
VPN client > RootCA > certificate map > OCSP responder.
With that scheme, the OCSP responces are trusted and revocation check completed successfully.
My questions are:
Thank you!
I have successfully operating OpenSSL OCSP responder with this hierarchy:
RootCA > OCSP responder (signed by RootCA).
I have deployed a trustpoint (named RootCA) into the ASA with RootCA public key. So I expect that ASA will be trust to OCSP, because it’s trusts to RootCA which signed OCSP sign key. But seems it is not. Due to VPN client connection I have
CRYPTO_PKI: Blocking chain callback called for OCSP response <…> status: 2
debug message, which indicating a problem with certificate signer, according to BRKSEC-3053
https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKSEC-3053.pdf
So, I did import the OCSP key into separate trustpoint (named OCSP) and did create a certificate map with overriding OCSP rule. The revocation check hierarchy now looks like this:
VPN client > RootCA > certificate map > OCSP responder.
With that scheme, the OCSP responces are trusted and revocation check completed successfully.
My questions are:
Thank you!