When testing certificate revocation functionality on CMTS devices, setting up a proper OCSP responder is crucial. Many developers struggle with OpenSSL's OCSP implementation returning "unknown" status for test certificates. Let me walk through a working solution.
Before starting, ensure you have:
- OpenSSL 1.1.1 or later installed
- Root CA certificate and private key
- Certificate to test in PEM format
- Custom OpenSSL configuration file
First, create an index file for your CA:
touch demoCA/index.txt echo 01 > demoCA/serial
The most critical part is the OCSP responder configuration. Here's a working example:
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rootCA.pem -rkey rootCA.key \ -CA rootCA.pem -text -out log.txt &
To properly register certificates in the OCSP database:
openssl ca -config openssl.cnf -revoke modem-cert.pem -keyfile rootCA.key \ -cert rootCA.pem
If you're getting "unknown" responses, check:
- The certificate is properly revoked using the
-revokeoption - The index.txt file contains your certificate entry
- You're using the same CA certificate for both signing and verification
Finally, verify the OCSP responder works:
openssl ocsp -CAfile rootCA.pem -issuer rootCA.pem -cert modem-cert.pem \ -url http://localhost:8888
This should return either "good" or "revoked" status for your test certificate.
For frequent testing, consider this bash script:
#!/bin/bash # Start OCSP responder openssl ocsp -index demoCA/index.txt -port 8888 \ -rsigner rootCA.pem -rkey rootCA.key \ -CA rootCA.pem -text -out log.txt & # Test certificate status openssl ocsp -CAfile rootCA.pem -issuer rootCA.pem \ -cert $1 -url http://localhost:8888 # Cleanup pkill -f "openssl ocsp"
Save as ocsp_test.sh and run with your certificate as argument.
When testing certificate revocation functionality on CMTS devices, setting up a proper OCSP responder is crucial. Many developers encounter the "unknown" response issue when trying to validate third-party certificates through their OpenSSL-based OCSP server. Let's break down the complete solution.
Before starting, ensure you have:
- OpenSSL 1.1.1 or later installed
- Root CA certificate and private key
- Certificate to be tested in PEM format
- Basic OpenSSL configuration knowledge
Here's the complete workflow to properly configure an OCSP responder:
# Generate OCSP responder key and certificate
openssl genrsa -out ocsp.key 2048
openssl req -new -key ocsp.key -out ocsp.csr
openssl x509 -req -in ocsp.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ocsp.pem -days 365
# Create the OCSP database
touch index.txt
echo 01 > serial
# Add certificate to the database
openssl ca -config openssl.cnf -revoke cert.pem -keyfile rootCA.key -cert rootCA.pem
The "unknown" response typically occurs due to:
- Missing certificate in the OCSP database
- Incorrect index.txt format
- Improper certificate chain configuration
To verify your setup is correct:
openssl ocsp -index index.txt -CA rootCA.pem -rsigner ocsp.pem -rkey ocsp.key -port 2560 -text
Use this command to test your responder:
openssl ocsp -CAfile rootCA.pem -issuer rootCA.pem -cert cert.pem -url http://localhost:2560 -resp_text
For production-like testing, consider adding these parameters to your responder:
openssl ocsp -index index.txt -CA rootCA.pem -rsigner ocsp.pem -rkey ocsp.key -port 2560 -nrequest 1 -timeout 5
For more reliable testing:
- Set proper CRL distribution points in your certificates
- Configure OCSP stapling if testing modern clients
- Use separate CA for OCSP signing in production scenarios
Here's a sample openssl.cnf section for OCSP:
[ ocsp ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning