Shammer's Philosophy

My private adversaria

Generate a certitifate and a private key of OCSP Responder

SSL

This is a next step of Generate a certitifate and a private key of intermediate CA - Shammerism
According to OCSPの動作 - Shammerism, OCSP responder certificate requires following extensions.

extendedKeyUsage = OCSPSigning

So, openssl config file using when executing openssl req -new for OCSP responder would be like below.

$ cat generate-csr-of-ocsp-responder.conf
[ req ]
default_bits       = 2048
encrypt_key        = no
default_md         = sha256
utf8               = yes
string_mask        = utf8only
prompt             = no
distinguished_name = ocspsign_dn
req_extensions     = ocspsign_req_ext

[ ocspsign_dn ]
countryName         = "JP"
stateOrProvinceName = "Kanagawa"
localityName        = "Yokohama"
organizationName    = "TotoRiotto"
commonName          = "ocsp.totoriotto.xyz"

[ ocspsign_req_ext ]
keyUsage             = critical,digitalSignature,nonRepudiation,keyEncipherment
extendedKeyUsage     = critical,OCSPSigning
basicConstraints = CA:false
subjectKeyIdentifier = hash


The command to generate OCSP Responder's CSR is below.

openssl req -new -config generate-csr-of-ocsp-responder.conf -nodes -newkey rsa:2048 -keyout Server/ocsp.totoriotto.xyz/ocsp.key -out Server/ocsp.totoriotto.xyz/csr.pem


After generated CSR, sign this CSR by IntermediateCA. Then, be careful about x509 extension. If no x509_extensions defined, generated certificate version would be 1 instead of 3 even if there is no extensions included. There are lot of things not working well if certificate version would not be 3.

$ cat IntermediateCA-ca-actions.conf
[ default ]
ca        = TotoRiottoIntermediateCA
dir       = .
base_url  = http://pki.totoriotto.xyz
cert_url  = $base_url/intermediate-ca.cer
crl_url	  = $base_url/intermediate-ca.crl
ocsp_url  = http://ocsp.totoriotto.xyz
name_opt  = multiline,-esc_msb,utf8

[ ca ]
default_ca = intermediate_ca

[ intermediate_ca ]
certificate	= $dir/$ca/cacert.pem
private_key	= $dir/$ca/private/ca.key
new_certs_dir   = $dir/$ca/certs
serial		= $dir/$ca/certificate_serial
crlnumber	= $dir/$ca/crl_serial
database	= $dir/$ca/database
unique_subject  = yes
default_days    = 1825
default_md      = sha256
policy          = match_pol
email_in_dn     = no
preserve        = yes
name_opt        = $name_opt
cert_opt        = ca_default
copy_extensions = copy
default_crl_days= 1
crl_extensions  = crl_ext
x509_extensions = x509_extension

[ match_pol ]
countryName         = match
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
commonName          = supplied

[ crl_ext ]
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = @issuer_info

[ issuer_info ]
caIssuers;URI.0 = $cert_url

[ x509_extension ]


Sign command is below.

$ openssl ca -config Conf/IntermediateCA-ca-actions.conf -in Servers/ocsp.totoriotto.xyz/csr.pem -out Servers/ocsp.totoriotto.xyz/ocsp.pem

The X509 Extensions of this certificate is like below.

X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Non Repudiation, Key Encipherment
    X509v3 Extended Key Usage: critical
        OCSP Signing
    X509v3 Basic Constraints: 
        CA:FALSE
    X509v3 Subject Key Identifier: 
        2A:72:8C:4D:39:5F:11:21:3B:19:3B:48:83:D9:3E:67:83:1D:45:BD