Signer certificate for OCSP responder

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
bjoernv
OpenVpn Newbie
Posts: 8
Joined: Fri Apr 07, 2017 7:55 pm

Signer certificate for OCSP responder

Post by bjoernv » Tue Nov 21, 2017 10:01 pm

I am using OpenVPN 2.4.4 currently with manually updated CRL files on the clients. This is not perfect.

I did some experiments with the OpenSSL OCSP responder. Everything works right, if I use the CA certificate and the CA key (!) as rsigner/rkey for OpenSSL OCSP:

Code: Select all

openssl ocsp -index index.txt -port 4444 -CA /etc/openvpn/pki/ca.crt -rsigner /etc/openvpn/pki /ca.crt -rkey /home/offline-ca/easyrsa/private/ca.key
Enter pass phrase for private/ca.key: 
But I never want to run the OCSP responder this way in production. My ca.key should be kept offline. Not only the CA password entry after reboots is a problem.

My question is, what are the requirements for an OpenSSL OCSP responder rsigner/rkey? I tried other keys, created with easyrsa. The problem is, that OpenVPN always shows an error with rsigner/rkey files other then the CA certificate and key:

Code: Select all

openssl ocsp -index index.txt -port 4444 -CA ca.crt -rsigner issued/ocsp-test.crt -rkey private/oscp-test.key

Code: Select all

Nov 21 22:37:33 cecilia openvpn[14201]: Validating certificate extended key usage
Nov 21 22:37:33 cecilia openvpn[14201]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Nov 21 22:37:33 cecilia openvpn[14201]: VERIFY EKU OK
Nov 21 22:37:33 cecilia openvpn[14201]: WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
Nov 21 22:37:33 cecilia openvpn[14201]: VERIFY SCRIPT ERROR: depth=0, CN=mybox.example.com
Nov 21 22:37:33 cecilia openvpn[14201]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Nov 21 22:37:33 cecilia openvpn[14201]: TLS_ERROR: BIO read tls_read_plaintext error
Nov 21 22:37:33 cecilia openvpn[14201]: TLS Error: TLS object -> incoming plaintext read error
Nov 21 22:37:33 cecilia openvpn[14201]: TLS Error: TLS handshake failed
Nov 21 22:37:33 cecilia openvpn[14201]: SIGUSR1[soft,tls-error] received, process restarting
The OpenVPN configuration contains this:

Code: Select all

tls-verify /etc/openvpn/pki/OCSP_check.sh
script-security 2
OCSP_check.sh is from OpenVPN 2.4.4 with these changes:

Code: Select all

ocsp_url="http://localhost:4444/"
issuer="/etc/openvpn/pki/ca.crt"
verify="/etc/openvpn/pki/ca.crt"
I am unsure with the "verify" option. I also tried this with no luck:

Code: Select all

ocsp_url="http://localhost:4444/"
issuer="/etc/openvpn/pki/ca.crt"
verify="/home/offline-ca/easyrsa/private/ca.key"

bjoernv
OpenVpn Newbie
Posts: 8
Joined: Fri Apr 07, 2017 7:55 pm

Re: Signer certificate for OCSP responder

Post by bjoernv » Tue Nov 21, 2017 10:21 pm

I probably found an answer after further debugging with "openssl ocsp" directly:

Code: Select all

140058298127616:error:2706A067:OCSP routines:OCSP_CHECK_DELEGATED:missing ocspsigning usage:ocsp_vfy.c:362:
140058298127616:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:ocsp_vfy.c:168:
The extension "extendedKeyUsage = OCSPSigning" is missing in normal easyrsa certificates.

bjoernv
OpenVpn Newbie
Posts: 8
Joined: Fri Apr 07, 2017 7:55 pm

Re: Signer certificate for OCSP responder

Post by bjoernv » Tue Nov 21, 2017 10:40 pm

The solution is to temporarily change from

Code: Select all

extendedKeyUsage = clientAuth
in file easyrsa3/x509-types/client to

Code: Select all

extendedKeyUsage = clientAuth,OCSPSigning
to get a certificate with the right extensions for OCSP signing.

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: Signer certificate for OCSP responder

Post by TiTex » Wed Nov 22, 2017 7:00 pm

why not just use the openssl utility to create an ocsp signing cert for the ocsp responder , and also add the authorityInfoAccess attribute to issued certs?

Post Reply