Discuss this help topic in SecureBlackbox Forum

Configure OCSP server

The OCSP server components included in SecureBlackbox only implement the OCSP functionality itself, and require external HTTP(S) server components for HTTP request processing. Either HTTPBlackbox, or any other HTTP implementation allowing to pass dedicated OCSP requests for external handling, will do.

Prior to implementing the OCSP responder, the HTTP server component needs to be set up and configured. Your server should be able to: (1) handle POST requests with 'application/ocsp-request' content type; (2) forward them to the request handler; (3) receive results from the handler; (4) send them back as an HTTP response with 'application/ocsp-response' content type.

The OCSP request handler expects a properly formed OCSP request on input (received from the HTTP server), and returns the corresponding OCSP response.

  1. Create a TElOCSPServer object: TElOCSPServer ocspServer = new TElOCSPServer();
  2. Each OCSP responder must have its signing certificate, either the CA certificate, or an independent certificate, duly authorized by the CA for OCSP signing (i.e., including properly adjusted key usage and extended key usage extensions). Load the certificate (and, optionally, the rest of its chain) into a TElMemoryCertStorage object, and assign it the server's SigningCertStorage property. The OCSP signing certificate must include the associated private key. It may be non-exportable (for instance, if it is located on a hardware device).
    
    TElMemoryCertStorage signingCerts = new TElMemoryCertStorage();
    signingCerts.Add(signingCert, true);
    signingCerts.Add(caCert, true);
    ocspServer.SigningCertStorage = signingCerts;
    
  3. Tune up the server:
    
    ocspServer.IncludeCertificates = true;
    ocspServer.ResponderIdType = TElResponderIDType.ritName;
    
  4. Handle the OnCertificateCheck event according to your certificate checking logic:
    
    void handleCertificateCheck(object sender, byte[] hashAlgOID, byte[] issuerNameHash, byte[] issuerKeyHash, byte[] certificateSerial, ref TElOCSPCertificateStatus certStatus, ref TSBCRLReasonFlag reasonFlag, ref DateTime revocationTime, ref DateTime thisUpdate, ref DateTime nextUpdate)
    {
      // You are expected to check your database for the up-to-date status of the requested certificate.
      // The certificate in question is identified by its unique serial number.
      // Having established the status, you need to adjust the values of certStatus, reasonFlag and revocationTime accordingly.
      // Independently of whether the certificate is revoked or not, set thisUpdate to the time of the last certificate status update in the database, and nextUpdate to the time when the next update is expected.
    }
    
  5. Set ProducedAt to reflect the current time: ocspServer.ProducedAt = DateTime.UtcNow;
  6. Call ProcessRequest() passing the request received from the HTTP server as the corresponding parameter. The response is returned via the Reply parameter: ocspServer.ProcessRequest(request, ref reply);
You could notice from the above description that a dedicated TElOCSPServer object is needed for each incoming request. For small environments, you might be fine with creating individual TElOCSPServer object for every new request. However, some sort of object pooling may be needed for heavily loaded environments.

How To articles about OCSP

Discuss this help topic in SecureBlackbox Forum