Author: markt Date: Fri Jan 5 10:59:48 2018 New Revision: 1820279 URL: http://svn.apache.org/viewvc?rev=1820279&view=rev Log: Add OCSP configuration information to the SSL How-To. Patch provided by Marek Czernek.
Modified: tomcat/trunk/webapps/docs/changelog.xml tomcat/trunk/webapps/docs/ssl-howto.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1820279&r1=1820278&r2=1820279&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Fri Jan 5 10:59:48 2018 @@ -158,6 +158,10 @@ <bug>61910</bug>: Clarify the meaning of the <code>allowLinking</code> option in the documentation web application. (markt) </fix> + <add> + Add OCSP configuration information to the SSL How-To. Patch provided by + Marek Czernek. (markt) + </add> </changelog> </subsection> <subsection name="Other"> Modified: tomcat/trunk/webapps/docs/ssl-howto.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/ssl-howto.xml?rev=1820279&r1=1820278&r2=1820279&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/ssl-howto.xml (original) +++ tomcat/trunk/webapps/docs/ssl-howto.xml Fri Jan 5 10:59:48 2018 @@ -425,6 +425,111 @@ After that you can proceed with importin </subsection> </section> +<section name="Using OCSP Certificates"> +<p>To use Online Certificate Status Protocol (OCSP) with Apache Tomcat, ensure + you have downloaded, installed, and configured the + <a href="https://tomcat.apache.org/download-native.cgi"> + Tomcat Native Connector</a>. +Furthermore, if you use the Windows platform, ensure you download the +ocsp-enabled connector.</p> +<p>To use OCSP, you require the following:</p> + +<ul> + <li>OCSP-enabled certificates</li> + <li>Tomcat with SSL APR connector</li> + <li>Configured OCSP responder</li> +</ul> + +<subsection name="Generating OCSP-Enabled Certificates"> +<p>Apache Tomcat requires the OCSP-enabled certificate to have the OCSP + responder location encoded in the certificate. The basic OCSP-related + certificate authority settings in the <code>openssl.cnf</code> file could look + as follows:</p> + +<source> +#... omitted for brevity + +[x509] +x509_extensions = v3_issued + +[v3_issued] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +# The address of your responder +authorityInfoAccess = OCSP;URI:http://127.0.0.1:8088 +keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign,encipherOnly,decipherOnly +basicConstraints=critical,CA:FALSE +nsComment="Testing OCSP Certificate" + +#... omitted for brevity +</source> + +<p>The settings above encode the OCSP responder address + <code>127.0.0.1:8088</code> into the certificate. Note that for the following + steps, you must have <code>openssl.cnf</code> and other configuration of + your CA ready. To generate an OCSP-enabled certificate:</p> + +<ul> + <li> + Create a private key: + <source>openssl genrsa -aes256 -out ocsp-cert.key 4096</source> + </li> + <li> + Create a signing request (CSR): + <source>openssl req -config openssl.cnf -new -sha256 \ + -key ocsp-cert.key -out ocsp-cert.csr</source></li> + <li> + Sign the CSR: + <source>openssl ca -openssl.cnf -extensions ocsp -days 375 -notext \ + -md sha256 -in ocsp-cert.csr -out ocsp-cert.crt</source> + </li> + <li> + You may verify the certificate: + <source>openssl x509 -noout -text -in ocsp-cert.crt</source> + </li> +</ul> +</subsection> + +<subsection name="Configuring OCSP Connector"> + +<p>To configure the OCSP connector, first verify that you are loading the Tomcat + APR library. Check the <a href="apr.html#Installation"> + Apache Portable Runtime (APR) based Native library for Tomcat</a> +for more information about installation of APR. A basic OCSP-enabled connector + definition in the <code>server.xml</code> file looks as follows:</p> +<source> +<![CDATA[<Connector port="8443" + protocol="org.apache.coyote.http11.Http11AprProtocol" + secure="true" scheme="https" + SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt" + SSLCertificateKeyFile="/path/to/ocsp-cert.key" + SSLCACertificateFile="/path/to/ca.pem" + SSLVerifyClient="require" + SSLVerifyDepth="10" + clientAuth="true"/>]]> +</source> +</subsection> + +<subsection name="Starting OCSP Responder"> + <p>Apache Tomcat will query an OCSP responder server to get the certificate + status. When testing, an easy way to create an OCSP responder is by executing + the following: + <source>openssl ocsp -port 127.0.0.1:8088 \ + -text -sha256 -index index.txt \ + -CA ca-chain.cert.pem -rkey ocsp-cert.key \ + -rsigner ocsp-cert.crt</source> </p> + + <p>Do note that when using OCSP, the responder encoded in the connector + certificate must be running. For further information, see + <a href="https://www.openssl.org/docs/man1.1.0/apps/ocsp.html"> + OCSP documentation + </a>. + </p> + +</subsection> + +</section> + <section name="Troubleshooting"> <p>Here is a list of common problems that you may encounter when setting up --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org