česky | english


OCSP Responder

CAcert has setup and operates an OpenCA OCSP Responder. All the certificates that were issued after 2005-05-16 should have the OCSP Service URL automatically included, and your OCSP client should check periodically for certificate status. The OCSP responder issues signed responses over http, (the OCSP address is not a normal website and you can only connected to it with an OCSP client, such as OpenSSL) once your client is setup you can tell it to connect to http://ocsp.cacert.org or http://ocsp.cacert.org:2560. To activate OCSP in firefox use the below settings.

Enabling OCSP in Firefox:

  1. Click on the Edit menu, then select Preferences.
  2. After the Preferences window appears, select Advanced.
  3. Scroll down until you get to the Validation section, OCSP will be the last option.
  4. By default "Do not use OCSP for certificate Validation" is selected. Change to the second option, "Use OCSP to validate only certificates that specify an OCSP service URL".
  5. Click OK to close the Options window.

In Firfox v2.0.0.14 for OCSP, goto Firefox > Tools > Options > Advanced > Encryption > Verification > select "Use OCSP to validate only certificates that specify an OCSP service URL" > Ok > Ok.

To enable/use OCSP in Thunderbird v2.0.0.14 > Tools > Options > Advanced > Certificates > Verification > select "Use OCSP to validate only certificates that specify an OCSP service URL" > Ok > Ok.

We run our OCSP Responder on port 2560 (OpenCA default), however the following Apache configuration allows us to also make this available as a vhost in Apache on Port 80, which will be important for anyone stuck behind a firewall and unable to connect to ports other then 80 or 443.

<VirtualHost x.x.x.x:80>
ServerName ocsp.cacert.org
DocumentRoot /dev/null
RewriteEngine on
RewriteCond %{CONTENT_TYPE} !^application/ocsp-request$
RewriteRule ^/(.*) http://localhost:2560/ [P]
CustomLog /var/log/apache/ocsp.cacert.org-access.log combined
ErrorLog /var/log/apache/ocsp.cacert.org-error.log
</VirtualHost>

We issue certificiates with the OCSP Responder URI address listed as http://ocsp.cacert.org. We plan to distributed servers around the world via round-robin DNS. If/when load or bandwidth become a problem in the future, we can simply add more OCSP responders in a similar fashion as adding secondary name servers (DNS), and it would seem things could be made highly distributed quite easily with our current configuration.

Due to the threat model used in developing the RFC for OCSP, high availability will be a key issue in running/maintaining OCSP services, as any clients with OCSP turned on will fail to connect to any certificate that it can't get a valid OCSP response for. As far as I'm aware mozilla products currently do not have any form of OCSP caching, so reading signed/encrypted email on a plane in ThunderBird could be difficult at this point in time. Microsoft is apparently developing an OCSP client for it's next version of Windows/MSIE that apparently does some caching, although it will be interesting to see how well this works.

RFC Compliance

The publically available versions of OpenCA´s OCSPD are not fully RFC compliant for hosting serveral root certificates, so we are currently using a pre-release version of OCSPD that is fully RFC compliant.

How to test it?

http://svn.cacert.org/CAcert/Software/OcspTest-1.2.tar.bz2 This is a simple test program that can be used to test the functionality and availability of CAcert´s OCSP responder. It currently tries both class1 and class3 certificates.

How to manually verify a certificate?

If your browser/mailer refuses to work acceptably with OCSP you can ust the openssl tool (see http://www.openssl.org) to verify a certificate with a specific serial number:

openssl ocsp -issuer CAcert_class1.pem -serial 0x<serial no in hex> -host ocsp.cacert.org:80 -CAfile cacert_both.pem

The file named in -issuer must contain the CA certificate that issued the certificate in question (CAcert class 1 or 3), the file in -CAfile should contain both CAcert root certificates (and maybe other trusted CA's).

See also http://www.openssl.org/docs/apps/ocsp.html

Other info

SystemAdministration team are responsible for the OCSP Responders. Here is the OCSP Procedure for running a responder.


OcspResponder (last edited 2015-03-17 21:09:48 by EtienneRuedin)