In my previous company I and One of my colleague had to work on Online Certificate Status Protocol (OCSP). These were the steps that we have take to test it. We had put this together so that it will help us in future. If you are testing the same we hope this might help you. Please do let us know of any changes that are require or steps that need to be added.
- make Root certificate
- Be in this directory to make the certificates and keys and etc…..
- Generate des3 key for creating request.
openssl genrsa -des3 -out rootCa/private/rootcakey.pem 2048 -config openssl.cnf
- Generate a new request for signing the certificate.
openssl req -new -x509 -days 365000 -key rootCa/private/rootcakey.pem -out rootCa/private/rootcacert.pem -config openssl.cnf
- Dont know what it is required for will update later.
cp rootCa/private/rootcacert.pem rootCa/certs/00.pem
- make a backup of the rootca certificate for easier configuration.
cp rootCa/private/rootcacert.pem rootCa/
- dont know what this could be used for.
cd /usr/share/ssl/rootCa/certs ln -s 00.pem `openssl x509 -hash -noout -in 00.pem`.0
- Make cert
- Generate key
openssl genrsa -out ocsp/key.pem 1024
- Generate a new request
openssl req -new -key ocsp/key.pem -out ocsp/req.pem -config openssl.cnf
- Generate a certificate and sign with the root certificate.
openssl ca -name ocsp_server -keyfile rootCa/private/rootcakey.pem -in ocsp/req.pem -out ocsp/cert.pem -outdir rootCa/certs -config openssl.cnf
- create crl
openssl ca -gencrl -config openssl.cnf -crldays 36500 -crlhours 24000 -out rootCa/crl/crl.pem
- Check Response
openssl ocsp -host 192.168.2.40:2560 -issuer /usr/share/ssl/rootCa/rootcacert.pem -VAfile /usr/share/ssl/ocsp/cert.pem -serial 16