Arrange the tomcatCon page... https://issues.jboss.org/browse/MODCLUSTER-376 (regression... well missing upstream) Back to JBCS-258 SSLOCSPNoverify on/off (OK)... SSLOCSPResponderCertificateFile () Install a server: yum install ocspd (I have tried ocspd-1.9.0-7.fc24.x86_64) /usr/sbin/ocspd -d -c /etc/ocspd/ocspd.conf -k adelina /etc/ocspd/ocspd.conf needs the following: ocspd_certificate ocspd_key Note the /etc/pki/tls/misc/CA can't used... At least directly... you need to add: in /etc/pki/tls/openssl.cnf (well in each [ bla ]) +++ [ CA_default ] unique_subject = no (not needed...) [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_OCSP ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = OCSPSigning +++ you need to use the -extensions v3_OCSP with openssl: openssl req -new -out newreq.pem -keyout bela1_newkey.pem -extensions v3_OCSP (create the request) openssl ca -in newreq.pem -out bela1_newcert.pem -extensions v3_OCSP (sign it) openssl ca -gencrl -out crl_01.pem (create empty revocation list). In /etc/ocspd/ocspd.conf fill: ocspd_certificate bela1_newcert.pem ocspd_key bela1_newcert.pem Adjust to use dbms_file only and first_ca put the crl_url and the ca_url crl_url crl_01.pem ca_url put the cacert of the CA you use to generate the revocation list. server_cert put the certificate of the server... (I have commented out csp_add_response_certs so I don't send that???) /usr/sbin/ocspd -d -c /etc/ocspd/ocspd.conf -k adelina Use openssl to check the responder... openssl ocsp -VAfile -issuer -cert -url http://localhost:2560/ something like: +++ [jfclere@jfcpc CERTS]$ openssl ocsp -VAfile /etc/ocspd/certs/bela1_newcert.pem -issuer /etc/pki/CA/cacert.pem -cert newcert.pem -url http://localhost:2560/ Response verify OK newcert.pem: good This Update: Jan 30 18:33:57 2017 GMT Next Update: Feb 17 14:22:39 2017 GMT +++ We tell openssl to trust bela1_newcert.pem (aka the ocspd certificate). more newcert.pem (read Serial Number...) +++ Data: Version: 3 (0x2) Serial Number: e3:a5:26:0f:e5:81:67:2f +++ look in /etc/pki/CA/newcerts/ +++ [root@dhcp-144-196 NEWCERTS]# ls -lt /etc/pki/CA/newcerts/ total 24 -rw-r--r--. 1 root root 4663 Feb 17 13:49 E3A5260FE581672F.pem -rw-r--r--. 1 root root 4357 Feb 3 16:35 E3A5260FE581672E.pem -rw-r--r--. 1 root root 4481 Feb 3 16:13 E3A5260FE581672D.pem +++ So E3A5260FE581672F.pem is the one... revoke it: +++ [root@dhcp-144-196 NEWCERTS]# openssl ca -revoke /etc/pki/CA/newcerts/E3A5260FE581672F.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Revoking Certificate E3A5260FE581672F. Data Base Updated +++ generate the new revocation list: openssl ca -gencrl -out crl_01.pem replace the file in crl_url ... and start ocspd and restart... +++ [root@dhcp-144-196 NEWCERTS]# openssl ocsp -VAfile ../CERTS/bela1_newcert.pem -issuer /etc/pki/CA/cacert.pem -cert newcert.pem -url http://jfcpc:2560 Response verify OK newcert.pem: revoked This Update: Feb 17 15:15:24 2017 GMT Next Update: Feb 17 15:23:22 2017 GMT Revocation Time: Feb 17 15:13:50 2017 GMT +++ So at that point ocspd is configured correctly, let's test httpd.... Add in httpd: (create the newcert.pem/newkey.pem as usual). Listen 8008 SSLEngine on SSLCertificateFile "/home/jfclere/APACHE/ssl/newcert.pem" SSLCertificateKeyFile "/home/jfclere/APACHE/ssl/newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLVerifyClient on SSLOCSPEnable on SSLOCSPDefaultResponder http://jfcpc:2560/ SSLOCSPOverrideResponder on #SSLOCSPNoverify on #SSLOCSPResponderCertificateFile /etc/ocspd/certs/newcert.pem SSLOCSPResponderCertificateFile /etc/ocspd/certs/bela1_newcert.pem +++ Try without SSLOCSP... SSLVerifyClient on Only.... jfclere@jfcpc CERTS]$ curl -v https://jfcpc:8008/ --cert ./newcert.pem --cacert /etc/pki/CA/cacert.pem --key ./key.txt.pem works (note the key.txt.pem openssl rsa -in newkey.pem -out key.txt.pem in case). Try SSLOCSP... +++ SSLOCSPEnable on SSLOCSPDefaultResponder http://jfcpc:2560/ SSLOCSPNoverify on +++ works too. NEXT: +++ SSLVerifyClient on SSLOCSPEnable on SSLOCSPDefaultResponder http://localhost:2560/ SSLOCSPResponderCertificateFile /etc/ocspd/certs/bela1_newcert.pem +++ with a valid certificate: curl -v https://jfcpc:8008/ --cert ./newcert.pem --cacert /etc/pki/CA/cacert.pem --key ./key.txt.pem works... with a revoked certificate: (revoke the valid one for example...) failed with: +++ * NSS error -12270 (SSL_ERROR_REVOKED_CERT_ALERT) * SSL peer rejected your certificate as revoked. +++