From rtracy at opencloudconsultants.com Sat Aug 13 01:38:17 2011 From: rtracy at opencloudconsultants.com (Rick Tracy) Date: Fri, 12 Aug 2011 20:38:17 -0500 Subject: [Pki-users] OCSP Responder with Multiple CA's Message-ID: I have multiple CA's set up in multiple security domains. I have set up a separate OCSP responder that sits in the DMZ and I would like for it to respond to OCSP requests for all of the CA's. It seems to be communicating with all the CA's ok... I can pase a certificate from any of the CA's into the Check Certificate Status form and it properly validates it. The problem that I am having is that when a client uses OCSP to validate a certificate it appears to fail because the certificate used by the OCSP responder to sign the response was not issued by the same CA that issued the cert. In the RHCS Deployment Guide (version 8.0) it states: 2.1.3.1. OCSP Response Signing Every response that the client receives, including a rejection notification, > is digitally signed by the responder; the client is expected to verify the > signature to ensure that the response came from the responder to which it > submitted the request. The key the responder uses to sign the message > depends on how the OCSP responder is deployed in a PKI setup. RFC 2560 > recommends that the key used to sign the response belong to one of the > following: - The CA that issued the certificate that's status is being checked. > - A responder with a public key trusted by the client. Such a responder is > called a *trusted responder*. > - A responder that holds a specially marked certificate issued to it > directly by the CA that revokes the certificates and publishes the CRL. > Possession of this certificate by a responder indicates that the CA has > authorized the responder to issue OCSP responses for certificates revoked by > the CA. Such a responder is called a *CA-designated responder* or a*CA-authorized > responder.* I don't think the first option is not available in my environment... the CA's will have no direct access from the internet, which is part of the reason we are using the OCSP responder. The second option is not favored because I beleive it would require distributing the OCSP responder certificate to all the client applications. Which leaves the third option. I have tried going through the wizard in pkiconsole on the OCSP responder and creating OCSP signing certificate requests for each of the CA's we are using, requesting them using the Manual OCSP Manager Signing Certificate profiles on each CA and loading the signed cert back in through the wizard. But whenever it sends an OCSP response it does not seem to pick the right key to sign the response. Is there some step I am missing to link a keys with CA's? Is this even supported in Dogtag? Any help or pointers would be appreciated. Thanks RT -------------- next part -------------- An HTML attachment was scrubbed... URL: