For the latest version, please use Certificate Lifecycle Manager 5.0.2!

OCSP & HTTP CRLs

Endpoints

OCSP Responder

The Revocation Info Server (RIS) offers an OCSP responder functionality. It uses MTG-CARA to process OCSP requests. Prerequisite for the RIS to process OCSP requests for certificates (issued by a specific CA certificate) is the existence of an OCSP configuration for the corresponding CA certificate. OCSP configuration can be created in the CARA Admin frontend.

The OCSP responder URL of the RIS is as follows:

http://<BASE_URL>/ocsp

The placeholder <BASE_URL> has to be replaced by the name of the server, on which RIS was installed and started.

If a context path different from the default cara-revocation-info-server is chosen for an ExecutableJAR installation, the URL must be modified accordingly.

For example, The OCSP responder functionality of the CARA Revocation-Info-Server can be tested using OpenSSL:

openssl ocsp -issuer <issuer-cert-file> -serial <serialNumber> -text -url http://<BASE_URL>/ocsp

The placeholder <issuer-cert-file> must be replaced with the path to the file containing the Issuer CA certificate, while the placeholder <serialNumber> must be replaced by the serial number of the certificate for which the OCSP request is made. As a prerequisite, the issuer must already have issued a certificate.

CRL Distribution Point

The RIS can be used to distribute revocation lists. It retrieves the revocation lists from MTG-CARA and makes them available for HTTP download.

The revocation list for a CA certificate can only be retrieved if a revocation list configuration exists for the CA certificate. The name of the revocation list configuration must be known; it is part of the CRL-DP URL and should not contain any special characters if possible. If the URL contains special characters, it must be ensured that those are HTML-encoded as well. Both complete and delta revocation lists can be obtained from the CRL Distribution Point.

The CRL-DP URL is composed as follows:

http://<BASE_URL>/<Path>/[complete/delta]/<CRL config name>[.crl]

The placeholder <BASE_URL> must be replaced by the name of the server, on which RIS was installed and started.

The placeholder <CRL-Config-Name> must be replaced by the name of the respective CRL configuration. The file extension .crl is optional; it can be either inserted or omitted from the URL.

The names of the revocation list configuration files must not contain the file extension.

For the placeholder <path> there are following possibilities, which are equivalent to each other. A block list is always available among all paths, individual paths cannot be disabled:

  • named-crl

  • crldp

  • crldps

  • crl

  • crls

  • revocation

  • rev

The specification of the CRL type complete or delta is optional. If the latest complete revocation list for a CA certificate is to be downloaded, the CRL type complete can be omitted. However, if the most recent delta revocation list for a CA certificate is to be downloaded, the CRL type delta must be specified. The HTTP download of the revocation list can be tested in the browser.

Publishing in LDAP

The RIS can also publish CRLs in an LDAP directory. This is done by specifying a CRL configuration and an LDAP distinguished name pair in the configuration file to define where the CRL for each configuration should be written. The relevant parameters are as follows:

ldap.host

Specifies the host on which the LDAP server that distributes the CRLs runs, where the CRLs are written.

ldap.port

Specifies the port on which the LDAP server that distributes the CRLs runs, where the CRLs are written.

ldap.rootDN

Specifies the rootDN of the LDAP server that distributes the CRLs, where the CRLs are stored.

ldap.user

Specifies the user of the LDAP server that distributes the CRLs, where the CRLs are stored.

ldap.password

Specifies the password of the user of the LDAP server that distributes the CRLs, where the CRLs are stored.

ldap.ssl.enabled

If set to true, the connection to LDAP is performed over TLS. Default value is false.

ldap.attribute.crl

Specifies the LDAP attribute where the CRLs are stored. Default value is certificateRevocationList;binary.

ldap.crl.publications[i].configuration

Specifies the name of the CRL configuration in CARA for which the CRL is published on the LDAP server. Depending on the number of configurations, the value of i is an integer, starting from 1.

ldap.crl.publications[i].dn

Specifies the distinguished name of the i-th LDAP entry where the CRL is stored.

trusted.certificates.directory

Specifies a directory on the filesystem where certificates used to verify TLS connections are located.

Cache

Once a revocation list is fetched from CARA, RIS stores it in a temporary cache with a limited lifetime. When the cache expires, RIS communicates with CARA to fetch a new CRL. Additionally, if the cached CRL has expired, RIS contacts CARA to retrieve a new one. If RIS is unable to communicate with CARA, it extends the cache lifetime to continue serving clients with CRLs.

If it is necessary to shut down CARA for maintenance purposes, RIS will still be able to send CRLs to the clients. However, the maintenance window should be kept as short as possible.