OCSP & HTTP CRLs

Endpoints

OCSP Responder

The Revocation Info Server (RIS) offers an OCSP responder functionality. It uses MTG-CARA to process OCSP requests. Prerequisite for the RIS to process OCSP requests for certificates (issued by a specific CA certificate) is the existence of an OCSP configuration for the corresponding CA certificate. OCSP configuration can be created in the CARA Admin frontend.

The OCSP responder URL of the RIS is as follows:

http://<BASE_URL>/ocsp

The placeholder <BASE_URL> has to be replaced by the name of the server, on which RIS was installed and started.

If a context path different from the default cara-revocation-info-server is chosen for an ExecutableJAR installation, the URL must be modified accordingly.

For example, The OCSP responder functionality of the CARA Revocation-Info-Server can be tested using OpenSSL:

openssl ocsp -issuer <issuer-cert-file> -serial <serialNumber> -text -url http://<BASE_URL>/ocsp

The placeholder <issuer-cert-file> must be replaced with the path to the file containing the Issuer CA certificate, while the placeholder <serialNumber> must be replaced by the serial number of the certificate for which the OCSP request is made. As a prerequisite, the issuer must already have issued a certificate.

CRL Distribution Point

The RIS can be used to distribute revocation lists. It retrieves the revocation lists from MTG-CARA and makes them available for HTTP download.

The revocation list for a CA certificate can only be retrieved if a revocation list configuration exists for the CA certificate. The name of the revocation list configuration must be known; it is part of the CRL-DP URL and should not contain any special characters if possible. If the URL contains special characters, it must be ensured that those are HTML-encoded as well. Both complete and delta revocation lists can be obtained from the CRL Distribution Point.

The CRL-DP URL is composed as follows:

http://<BASE_URL>/<Path>/[complete/delta]/<CRL config name>[.crl]

The placeholder <BASE_URL> must be replaced by the name of the server, on which RIS was installed and started.

The placeholder <CRL-Config-Name> must be replaced by the name of the respective CRL configuration. The file extension .crl is optional; it can be either inserted or omitted from the URL.

The names of the revocation list configuration files must not contain the file extension.

For the placeholder <path> there are following possibilities, which are equivalent to each other. A block list is always available among all paths, individual paths cannot be disabled:

  • named-crl

  • crldp

  • crldps

  • crl

  • crls

  • revocation

  • rev

The specification of the CRL type complete or delta is optional. If the latest complete revocation list for a CA certificate is to be downloaded, the CRL type complete can be omitted. However, if the most recent delta revocation list for a CA certificate is to be downloaded, the CRL type delta must be specified. The HTTP download of the revocation list can be tested in the browser.