【簡単CA構築】OCSPレスポンダー構築とOCSP問い合わせ確認(OpenSSL)

Windows OSおよびLinux OSを扱った経験のある方を前提に記載している。
手順に従って進めば、OpenSSLでプライベート認証局を利用したOCSPレスポンダー構築が可能。

【参考】OCSP モデルについての説明
https://www.ipa.go.jp/security/pki/043.html

動作環境

Windows上に仮想環境のVMware Workstation 16 Playerをインストールし、Cent OSの後継OSであるRocky Linuxをインストール。

Microsoft Windows 10
└VMware Workstation 16 Player
 └Rocky Linux 8.6
  └OpenSSL 1.1.1k FIPS 25 Mar 2021
  └Apache (httpd-2.4.37-47.module+el8.6.0+823+f143cee1.1.x86_64)

CA構成

OpenSSLで3階層のCA構築(Root CA + 中間CA + EE証明書)
Root CA → CN=RCA(25年)・・・RCAの自己署名証明書
└□中間CA → CN=SCA01(15年)・・・RCAからSCA01のCA証明書に署名
 └□EE(End Entity)証明書 → CN=*.example.com(825日)・・・TLSサーバー証明書

以下URLよりCA構築済みの前提とし、OCSPレスポンダーを今回は準備する。
【簡単】プライベート認証局を構築しTLSサーバー証明書を発行(OpenSSLの3階層CA) | Japanese PKI Blog (world-tls.com)

OCSPレスポンダー

公式ホームページでのコマンド解説はこちら。
https://www.openssl.org/docs/man1.1.1/man1/ocsp.html

Root CAの鍵ファイルからパスフレーズを削除。パスフレーズ入力が求められるので「1111a」を入力。

cp /etc/pki/tls/myca/RCA/private/cakey.pem /etc/pki/tls/myca/RCA/private/cakey-no-pass.pem
openssl rsa -in /etc/pki/tls/myca/RCA/private/cakey-no-pass.pem -out /etc/pki/tls/myca/RCA/private/cakey-no-pass.pem

中間CAの鍵ファイルからパスフレーズを削除。パスフレーズ入力が求められるので「2222a」を入力。

cp /etc/pki/tls/myca/SCA01/private/cakey.pem /etc/pki/tls/myca/SCA01/private/cakey-no-pass.pem
openssl rsa -in /etc/pki/tls/myca/SCA01/private/cakey-no-pass.pem -out /etc/pki/tls/myca/SCA01/private/cakey-no-pass.pem

EE証明書が中間CAに問い合わせる前提とし、レスポンスの有効期間は7日間に設定。

以下コマンドを実行するとOCSPが問い合わせ待ちとなる。

Root CA

openssl ocsp -ignore_err -index /etc/pki/tls/myca/RCA/index.txt -CA /etc/pki/tls/myca/RCA/cacert.pem -rsigner /etc/pki/tls/myca/RCA/cacert.pem -rkey /etc/pki/tls/myca/RCA/private/cakey-no-pass.pem -port 8080 -ndays 7

中間CA

openssl ocsp -ignore_err -index /etc/pki/tls/myca/SCA01/index.txt -CA /etc/pki/tls/myca/SCA01/cacert.pem -rsigner /etc/pki/tls/myca/SCA01/cacert.pem -rkey /etc/pki/tls/myca/SCA01/private/cakey-no-pass.pem -port 8081 -ndays 7

問い合わせ待ち状態

ocsp: waiting for OCSP client connections…

「Ctrl+C」で停止させることができる。

OCSPレスポンダー動作確認

コマンドで証明書を取得

Linuxの場合
「/root/ドキュメント/」に保存する例。

openssl s_client -connect www.google.co.jp:443 -showcerts -servername www.google.co.jp >/root/ドキュメント/www.google.co.jp.cer

Windowsの場合
「C:\OCSP」フォルダーをあらかじめ作成しておく。

openssl s_client -connect www.google.co.jp:443 -showcerts -servername www.google.co.jp >C:\OCSP\www.google.co.jp.cer

以下のような3階層の証明書をダウンロードできる。

CONNECTED(000001E0)
---
Certificate chain
 0 s:CN=*.google.co.jp
   i:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 19 08:21:08 2024 GMT; NotAfter: May 13 08:21:07 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEljCCA36gAwIBAgIRAND0+hRJXdv3Evwcdbr6IugwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjQwMjE5MDgyMTA4WhcNMjQwNTEz
MDgyMTA3WjAZMRcwFQYDVQQDDA4qLmdvb2dsZS5jby5qcDBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABNRKO/rhdvlyN9trCReiAXoioSEJkl1PkvrrDrhuUKi1u7Le
Is5V48OY5d1Vevi8xi/zwCTt3TiIVs5VwMRlPtujggJ1MIICcTAOBgNVHQ8BAf8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUQ8KWkE4MFnGJhtHAVRzklaHVl3YwHwYDVR0jBBgwFoAUinR/r4XN7pXNPZzQ
4kYU83E1HScwagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhtodHRwOi8vb2Nz
cC5wa2kuZ29vZy9ndHMxYzMwMQYIKwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9y
ZXBvL2NlcnRzL2d0czFjMy5kZXIwJwYDVR0RBCAwHoIOKi5nb29nbGUuY28uanCC
DGdvb2dsZS5jby5qcDAhBgNVHSAEGjAYMAgGBmeBDAECATAMBgorBgEEAdZ5AgUD
MDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmxzLnBraS5nb29nL2d0czFjMy9R
cUZ4Ymk5TTQ4Yy5jcmwwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgB2/4g/Crb7
lVHCYcz1h7o0tKTNuyncaEIKn+ZnTFo6dAAAAY3Aq1EpAAAEAwBHMEUCIQCkYtSk
2i0WKlVOO1n8YWgJ5gMMkHQT+v56E/SQShYxMgIgMqwRj2kH2TfdtCwlBetBN1r0
w3hRlr/9MDgdMZWXNqwAdgCi4r/WHt4vLweg1k5tN6fcZUOwxrUuotq3iviabfUX
2AAAAY3Aq1EXAAAEAwBHMEUCICxb98wz5xjEHWop/YKR9UQMFXZCmuJiaPMN2/uY
ZyY7AiEAzJ8FllRx9amFJEg5kV/kuIJmIH3QdjlVif29m93BQt4wDQYJKoZIhvcN
AQELBQADggEBANFgpxCiatdfo3sQVOObpvrEt5EOHUYE8YBTFgDEQYLIujfPW5vA
lBWIrvweSwoQlfKlFEpbyDeebZawFn8Czz8jkQovAzuoTGYDhPXiayY4aAGXXLb/
mZyMiQTi+R5xm8bnKDG68y9AcLM3pR/xxiamo6V7Q7ik1YuvWb65uGCikw0O3k6E
xkloMowQTseXiSpd72eiqQ0PmG+6WFPLKPCFw9TNBJR6y+LKlM663zbjueIN5eV7
4WW9FeLU+XuzEj3cXnQWhgsLTKfheIKX1buRVZAJLMp+Yn0od9TMYKDAauPXrige
bHjFyXvQUCoyDwhTUNlfc2TEYoaCNuoQS2c=
-----END CERTIFICATE-----
 1 s:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
   i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFDMzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAPWI3+dijB43+DdCkH9sh9D7ZYIl/ejLa6T/belaI+KZ9hzp
kgOZE3wJCor6QtZeViSqejOEH9Hpabu5dOxXTGZok3c3VVP+ORBNtzS7XyV3NzsX
lOo85Z3VvMO0Q+sup0fvsEQRY9i0QYXdQTBIkxu/t/bgRQIh4JZCF8/ZK2VWNAcm
BA2o/X3KLu/qSHw3TT8An4Pf73WELnlXXPxXbhqW//yMmqaZviXZf5YsBvcRKgKA
gOtjGDxQSYflispfGStZloEAoPtR28p3CwvJlk/vcEnHXG0g/Zm0tOLKLnf9LdwL
tmsTDIwZKxeWmLnwi/agJ7u2441Rj72ux5uxiZ0CAwEAAaOCAYAwggF8MA4GA1Ud
DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUinR/r4XN7pXNPZzQ4kYU83E1HScwHwYD
VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG
CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw
AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt
MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsMFcG
A1UdIARQME4wOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br
aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcN
AQELBQADggIBAIl9rCBcDDy+mqhXlRu0rvqrpXJxtDaV/d9AEQNMwkYUuxQkq/BQ
cSLbrcRuf8/xam/IgxvYzolfh2yHuKkMo5uhYpSTld9brmYZCwKWnvy15xBpPnrL
RklfRuFBsdeYTWU0AIAaP0+fbH9JAIFTQaSSIYKCGvGjRFsqUBITTcFTNvNCCK9U
+o53UxtkOCcXCb1YyRt8OS1b887U7ZfbFAO/CVMkH8IMBHmYJvJh8VNS/UKMG2Yr
PxWhu//2m+OBmgEGcYk1KCTd4b3rGS3hSMs9WYNRtHTGnXzGsYZbr8w0xNPM1IER
lQCh9BIiAfq0g3GvjLeMcySsN1PCAJA/Ef5c7TaUEDu9Ka7ixzpiO2xj2YC/WXGs
Yye5TBeg2vZzFb8q3o/zpWwygTMD0IZRcZk0upONXbVRWPeyk+gB9lm+cZv9TSjO
z23HFtz30dZGm6fKa+l3D/2gthsjgx0QGtkJAITgRNOidSOzNIb2ILCkXhAd4FJG
AJ2xDx8hcFH1mt0G/FX0Kw4zd8NLQsLxdxP8c4CU6x+7Nz/OAipmsHMdMqUybDKw
juDEI/9bfU1lcKwrmz3O2+BtjjKAvpafkmO8l7tdufThcV4q5O8DIrGKZTqPwJNl
1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd
-----END CERTIFICATE-----
 2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=*.google.co.jp
issuer=C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4309 bytes and written 404 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---

OCSPレスポンダーへ問い合わせ

Root CA

中間CA証明書を参照して問い合わせする方法(SHA1でリクエスト)

openssl ocsp -sha1 -CAfile /etc/pki/tls/myca/RCA.pem -issuer /etc/pki/tls/myca/RCA.pem -cert /etc/pki/tls/myca/SCA01/cacert.pem -url http://www1.example.com:8080 -text

中間CA証明書を参照して問い合わせする方法(SHA256でリクエスト)

openssl ocsp -sha256 -CAfile /etc/pki/tls/myca/RCA.pem -issuer /etc/pki/tls/myca/RCA.pem -sha256 -cert /etc/pki/tls/myca/SCA01/cacert.pem -url http://www1.example.com:8080 -text

中間CA

EE証明書を参照して問い合わせる方法(SHA1でリクエスト)

openssl ocsp -sha1 -no_nonce -CAfile /etc/pki/tls/myca/RCA.pem -issuer /etc/pki/tls/myca/SCA01.pem -cert /etc/pki/tls/myca/SCA01-EE-S01/SCA01-EE-S01.crt -url http://www1.example.com:8081 -text

EE証明書を参照して問い合わせる方法(SHA256でリクエスト)

openssl ocsp -sha256 -no_nonce -CAfile /etc/pki/tls/myca/RCA.pem -issuer /etc/pki/tls/myca/SCA01.pem -cert /etc/pki/tls/myca/SCA01-EE-S01/SCA01-EE-S01.crt -url http://www1.example.com:8081 -text

EE証明書のシリアルナンバーで問い合わせる方法(SHA1でリクエスト)

openssl ocsp -sha1 -no_nonce -CAfile /etc/pki/tls/myca/RCA.pem -issuer /etc/pki/tls/myca/SCA01.pem -serial 0x73ff7b6e99e146f8674bdb72c65319e5f43a4085 -url http://www1.example.com:8081 -text
実行結果
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 793C84590DB75B740B4C302271956226A68E3487
          Issuer Key Hash: 99451855A2DE5A1DD5A47625B4C33D5671FD9D3E
          Serial Number: 73FF7B6E99E146F8674BDB72C65319E5F43A4085
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = JP, ST = Tokyo, O = CA, CN = SCA01
    Produced At: Jun  9 22:50:29 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 793C84590DB75B740B4C302271956226A68E3487
      Issuer Key Hash: 99451855A2DE5A1DD5A47625B4C33D5671FD9D3E
      Serial Number: 73FF7B6E99E146F8674BDB72C65319E5F43A4085
    Cert Status: revoked
    Revocation Time: May 27 23:26:27 2022 GMT
    Revocation Reason: superseded (0x4)
    This Update: Jun  9 22:50:29 2022 GMT
    Next Update: Jun 16 22:50:29 2022 GMT

    Signature Algorithm: sha256WithRSAEncryption
         83:c4:0a:b7:24:c9:68:d9:21:02:bc:db:b1:25:6b:1d:d3:61:
         17:b0:cd:41:a0:39:b9:47:83:f2:f1:24:44:26:17:2e:24:9e:
         23:82:8b:11:84:65:87:45:3b:da:ce:a5:bf:bf:f0:fc:82:05:
         0e:c8:3d:c9:7a:9a:34:33:f7:86:1e:a2:88:07:72:ec:6f:f9:
         46:6d:43:07:c3:56:4c:6d:e3:ed:a3:20:9d:d5:68:b7:5f:6f:
         15:59:46:95:aa:72:a5:75:9d:40:6c:f8:6a:8d:7c:82:27:72:
         3b:c4:97:81:6a:ce:23:fa:b1:7b:ec:91:ae:5e:4a:77:9f:37:
         e2:35:19:7f:cf:6f:4f:56:ba:0e:2d:3b:c1:21:ff:8d:bb:c5:
         a9:9b:f2:69:61:45:1b:6e:b9:f0:59:33:98:95:cc:e4:cc:97:
         a6:e0:42:02:55:0d:1a:eb:de:ec:ff:f5:fc:c2:4e:e3:b0:ed:
         78:1f:55:1f:3d:92:58:76:ff:79:a9:26:97:d3:de:17:ad:ef:
         c9:bd:1b:e5:3d:80:fe:1a:14:48:07:af:ac:f0:97:ca:20:6c:
         87:21:16:53:cd:57:84:89:cc:67:07:40:dc:dd:b3:7e:56:ce:
         5d:65:f4:d5:ea:7f:17:51:5a:fe:96:34:2c:4e:35:1d:c2:8a:
         6d:e4:ba:a7:b3:a7:d1:d5:84:f3:4e:6d:96:67:0d:5f:ae:a5:
         e7:f5:89:26:a2:8d:cc:fb:58:da:04:60:44:61:9a:12:74:09:
         bd:f7:60:e4:42:fb:96:df:3f:d6:2f:e4:b4:79:97:95:01:44:
         3c:1a:22:a8:d5:dd:54:54:13:cc:a2:b7:07:48:dc:d9:91:12:
         51:ea:6f:83:c4:6b:46:ea:ea:55:20:a4:a4:f4:63:ee:3e:de:
         72:af:d7:d3:55:bd:f4:21:d2:86:ca:1b:cb:79:48:53:33:f1:
         4c:19:c2:1d:5c:5f:bf:4b:5b:f4:5f:2d:fe:d4:20:03:c4:96:
         7d:1d:44:66:63:59:c5:2c:78:35:c0:da:35:fc:06:49:59:8a:
         ba:28:a0:33:6d:a9:eb:c3:c9:c0:10:aa:31:7a:bf:51:d7:c3:
         81:3c:77:a0:25:b5:55:4a:40:44:06:5d:b7:7d:dc:31:58:93:
         02:d6:1c:42:1b:67:8b:31:a2:6f:c6:45:5e:52:b3:35:aa:d7:
         f1:06:23:4a:41:4b:09:17:91:1f:c6:16:c1:ea:5e:a4:00:a9:
         68:98:16:96:d3:cd:03:21:bb:27:83:ea:b2:8e:77:a9:4d:e5:
         16:89:8b:f0:65:2a:96:af:cf:1f:fe:a9:b6:7b:71:38:0f:50:
         6d:f5:a0:46:ce:6e:fa:bf
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            43:5a:5a:dc:0f:03:a5:dc:3a:54:30:1f:14:39:c5:de:e9:18:c3:2d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, O=CA, CN=RCA
        Validity
            Not Before: May 27 01:57:18 2022 GMT
            Not After : May 23 01:57:18 2037 GMT
        Subject: C=JP, ST=Tokyo, O=CA, CN=SCA01
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:ce:c0:ea:15:84:2f:f1:90:db:52:2d:2b:19:56:
                    9e:ef:bd:bb:e9:54:18:17:9e:f9:de:57:d5:2d:48:
                    21:64:4f:cd:0f:62:c2:45:81:52:fb:22:71:84:39:
                    e6:62:47:d2:05:73:4e:87:a1:bc:4c:de:83:b0:7f:
                    97:0b:ec:4b:43:15:e6:d0:ba:b5:b7:92:8a:e5:ca:
                    5c:f1:52:b1:3d:4b:b4:f4:91:e4:a8:47:e3:9b:17:
                    0f:ca:51:72:40:10:1c:1d:6f:fe:d9:a2:0d:0c:c6:
                    8d:1f:7c:6b:98:d4:4d:2d:36:48:bc:1c:62:b3:fa:
                    4f:cf:2c:af:6c:bd:1d:27:08:04:49:76:1c:06:e6:
                    cb:4e:df:21:7d:5f:ed:2c:de:91:f6:7a:4c:3b:06:
                    55:3c:90:1a:d1:3f:44:4e:23:31:9b:5a:41:46:af:
                    87:a2:7c:bb:bf:df:64:f1:e8:32:b8:82:99:3e:61:
                    85:17:87:9b:4c:30:fd:16:47:f0:49:ed:50:d9:71:
                    c2:5d:05:4d:4a:f8:27:f4:73:e8:49:23:9f:9e:a6:
                    d0:49:7c:bf:48:91:82:7d:cc:1b:49:db:31:65:e7:
                    2a:71:c3:f8:97:0a:3a:7c:cd:c1:06:0f:1a:25:a2:
                    1a:44:26:ac:6e:e3:71:d4:43:bf:0a:6f:87:55:40:
                    dc:15:c1:b5:e0:0c:67:0a:21:db:c4:af:04:52:b4:
                    5f:80:41:e7:fc:7a:d9:e9:ac:57:fc:59:47:62:68:
                    0e:ca:53:89:55:8b:80:ac:30:af:c8:4d:9e:6c:e1:
                    4f:7f:ed:ce:d0:51:c8:f7:d1:06:ca:cc:be:c0:a2:
                    17:fb:9c:ae:f7:92:53:a3:80:e3:fe:2a:6f:52:16:
                    f8:83:50:53:3e:f2:4e:86:f6:7a:6f:3e:09:4d:56:
                    73:a4:af:c9:a7:b2:97:21:34:84:f0:72:e4:41:dd:
                    4a:cb:61:9d:28:ab:bc:58:1b:77:7e:db:68:e1:a3:
                    c6:a8:8e:c0:14:8f:2a:0d:06:f6:1e:8c:5b:79:a7:
                    c9:86:a5:3b:60:8e:ea:7d:15:1c:e9:a2:68:52:b7:
                    28:2a:16:72:db:78:75:cb:d7:ad:50:7f:8e:11:a9:
                    d9:f4:9a:fb:95:07:f1:ba:36:8f:fe:17:34:eb:b3:
                    00:af:d5:c6:f0:87:a5:39:9a:7a:ac:9c:ba:34:9e:
                    83:c7:30:d5:d7:d1:f1:ef:b4:d0:18:b5:54:19:95:
                    c3:95:e5:a2:66:39:df:2f:c4:f3:ae:fe:02:84:b9:
                    c2:9b:a0:18:27:71:59:6e:56:54:8f:9b:ff:d7:cb:
                    d1:78:d7:bc:ad:08:57:86:89:65:2b:fe:e2:62:bf:
                    95:90:39
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                99:45:18:55:A2:DE:5A:1D:D5:A4:76:25:B4:C3:3D:56:71:FD:9D:3E
            X509v3 Authority Key Identifier: 
                keyid:37:3E:1B:49:3C:AE:71:72:21:3E:0F:57:A9:72:B9:36:7D:00:EE:BE

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www1.example.com/RCAcrl.crl

            Authority Information Access: 
                CA Issuers - URI:http://www1.example.com/RCA.crt

    Signature Algorithm: sha256WithRSAEncryption
         59:dc:21:53:bd:40:fa:df:a6:b6:9d:76:51:dd:09:52:13:6a:
         34:34:55:31:e5:0d:76:2b:2c:eb:e3:c3:dc:a3:86:1d:38:6d:
         fc:c6:43:8e:18:b2:11:b2:ed:ea:72:65:e0:e8:7d:41:9d:f5:
         be:71:d1:e8:cc:d5:f5:87:6b:e5:c2:d7:57:b0:23:e8:61:94:
         3f:63:db:7c:86:08:ae:87:5a:95:c6:5a:60:bd:41:ae:3e:99:
         3a:5e:aa:d1:ac:7c:86:67:0b:a4:2b:a3:49:0a:d0:2f:2f:37:
         a2:30:7f:49:c8:96:f4:92:96:b8:0f:eb:6f:e3:65:de:82:f3:
         27:87:73:d0:1f:b9:aa:47:65:9f:a0:09:fe:9b:91:d6:4a:dc:
         76:6e:25:3f:52:4c:d6:6b:08:0a:84:26:6e:6f:65:81:ef:0b:
         71:34:4f:0a:62:86:66:99:59:0a:fd:87:e8:42:a7:ac:2d:dc:
         ec:4a:b2:26:6b:7d:74:da:95:fa:ea:da:13:b7:ae:f5:c6:08:
         ca:86:3d:c3:e8:31:eb:c8:af:f0:d8:1a:31:88:32:8a:22:7a:
         27:04:44:6c:af:6c:8b:bb:cb:f0:15:fe:a1:59:51:c9:0c:6c:
         46:ba:2a:26:d3:0a:c9:d8:63:14:97:ad:67:03:f7:0a:13:8f:
         28:6e:12:ab:64:56:55:7e:52:44:3c:cc:4a:8e:45:61:56:ce:
         0b:fe:16:70:a4:38:6d:c4:5b:14:5c:24:3d:66:57:e0:67:14:
         44:64:a9:4c:d6:ad:a3:ef:a8:aa:0a:02:c1:41:0b:09:6a:0f:
         2e:a9:5e:8c:cc:26:1e:0d:58:1a:2e:8e:8a:83:3c:57:32:5e:
         5f:f4:d4:4e:ca:57:32:dc:36:52:52:0f:d5:01:aa:8b:ef:a5:
         fa:41:d0:ed:96:55:c0:e6:c2:4c:8b:a5:31:be:57:4a:da:89:
         62:66:9a:02:00:c1:74:c8:5a:b0:6b:4e:03:81:0c:34:76:a8:
         de:27:ef:03:0e:51:73:af:0c:dd:1e:0a:5f:e2:14:1a:7a:36:
         ba:0e:61:dc:90:48:a9:38:e9:f4:5a:4b:c7:87:1b:9f:e5:33:
         84:df:bd:2d:9d:15:51:4a:11:f8:9f:3b:be:a4:5b:cf:5f:8f:
         02:2f:05:eb:63:d6:17:2e:c6:49:ee:7a:e0:5e:26:97:75:0e:
         5c:59:7d:a2:27:5a:c2:a2:4c:3d:0c:3d:ce:1d:34:95:51:39:
         47:bf:53:2d:0b:cc:8d:49:4f:68:eb:5f:ce:6c:f1:15:46:17:
         32:f5:3c:ff:da:d7:06:6f:c6:ae:ce:17:9e:09:62:07:3a:55:
         c2:c4:20:be:d1:e8:c2:28
-----BEGIN CERTIFICATE-----
MIIF1zCCA7+gAwIBAgIUQ1pa3A8Dpdw6VDAfFDnF3ukYwy0wDQYJKoZIhvcNAQEL
BQAwODELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEM
MAoGA1UEAwwDUkNBMB4XDTIyMDUyNzAxNTcxOFoXDTM3MDUyMzAxNTcxOFowOjEL
MAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEOMAwGA1UE
AwwFU0NBMDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDOwOoVhC/x
kNtSLSsZVp7vvbvpVBgXnvneV9UtSCFkT80PYsJFgVL7InGEOeZiR9IFc06HobxM
3oOwf5cL7EtDFebQurW3korlylzxUrE9S7T0keSoR+ObFw/KUXJAEBwdb/7Zog0M
xo0ffGuY1E0tNki8HGKz+k/PLK9svR0nCARJdhwG5stO3yF9X+0s3pH2ekw7BlU8
kBrRP0ROIzGbWkFGr4eifLu/32Tx6DK4gpk+YYUXh5tMMP0WR/BJ7VDZccJdBU1K
+Cf0c+hJI5+eptBJfL9IkYJ9zBtJ2zFl5ypxw/iXCjp8zcEGDxolohpEJqxu43HU
Q78Kb4dVQNwVwbXgDGcKIdvErwRStF+AQef8etnprFf8WUdiaA7KU4lVi4CsMK/I
TZ5s4U9/7c7QUcj30QbKzL7Aohf7nK73klOjgOP+Km9SFviDUFM+8k6G9npvPglN
VnOkr8mnspchNITwcuRB3UrLYZ0oq7xYG3d+22jho8aojsAUjyoNBvYejFt5p8mG
pTtgjup9FRzpomhStygqFnLbeHXL161Qf44Rqdn0mvuVB/G6No/+FzTrswCv1cbw
h6U5mnqsnLo0noPHMNXX0fHvtNAYtVQZlcOV5aJmOd8vxPOu/gKEucKboBgncVlu
VlSPm//Xy9F417ytCFeGiWUr/uJiv5WQOQIDAQABo4HWMIHTMB0GA1UdDgQWBBSZ
RRhVot5aHdWkdiW0wz1Wcf2dPjAfBgNVHSMEGDAWgBQ3PhtJPK5xciE+D1epcrk2
fQDuvjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAzBgNVHR8ELDAq
MCigJqAkhiJodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9SQ0FjcmwuY3JsMDsGCCsG
AQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL3d3dzEuZXhhbXBsZS5jb20v
UkNBLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAWdwhU71A+t+mtp12Ud0JUhNqNDRV
MeUNdiss6+PD3KOGHTht/MZDjhiyEbLt6nJl4Oh9QZ31vnHR6MzV9Ydr5cLXV7Aj
6GGUP2PbfIYIrodalcZaYL1Brj6ZOl6q0ax8hmcLpCujSQrQLy83ojB/SciW9JKW
uA/rb+Nl3oLzJ4dz0B+5qkdln6AJ/puR1krcdm4lP1JM1msICoQmbm9lge8LcTRP
CmKGZplZCv2H6EKnrC3c7EqyJmt9dNqV+uraE7eu9cYIyoY9w+gx68iv8NgaMYgy
iiJ6JwREbK9si7vL8BX+oVlRyQxsRroqJtMKydhjFJetZwP3ChOPKG4Sq2RWVX5S
RDzMSo5FYVbOC/4WcKQ4bcRbFFwkPWZX4GcURGSpTNato++oqgoCwUELCWoPLqle
jMwmHg1YGi6OioM8VzJeX/TUTspXMtw2UlIP1QGqi++l+kHQ7ZZVwObCTIulMb5X
StqJYmaaAgDBdMhasGtOA4EMNHao3ifvAw5Rc68M3R4KX+IUGno2ug5h3JBIqTjp
9FpLx4cbn+UzhN+9LZ0VUUoR+J87vqRbz1+PAi8F62PWFy7GSe564F4ml3UOXFl9
oidawqJMPQw9zh00lVE5R79TLQvMjUlPaOtfzmzxFUYXMvU8/9rXBm/Grs4Xngli
BzpVwsQgvtHowig=
-----END CERTIFICATE-----
Response verify OK
0x73ff7b6e99e146f8674bdb72c65319e5f43a4085: revoked
	This Update: Jun  9 22:50:29 2022 GMT
	Next Update: Jun 16 22:50:29 2022 GMT
	Reason: superseded
	Revocation Time: May 27 23:26:27 2022 GMT

OCSPの開始・停止をサービス化

サービス開始後に証明書発行・失効し、それを問い合わせたところ、1回目の問い合わせでは古い値で返されたが、2回目は反映されていた。基本的にはリアルタイムでindexファイルを参照しているものと思われる。

「/etc/systemd/system/」に 「ocsp1.service」(Root CA用)ファイルを作成し、内容を以下とする。

[Unit]
Description = OCSP Responder Deamon

[Service]
ExecStart =/etc/pki/tls/myca/sh/ocsp-start-rca.sh
ExecStop =/etc/pki/tls/myca/sh/ocsp-stop.sh

Type = simple

[Install]
WantedBy = multi-user.target

「/etc/systemd/system/」に 「ocsp2.service」(中間CA用)ファイルを作成し、内容を以下とする。

[Unit]
Description = OCSP Responder Deamon

[Service]
ExecStart =/etc/pki/tls/myca/sh/ocsp-start-sca01.sh
ExecStop =/etc/pki/tls/myca/sh/ocsp-stop.sh

Type = simple

[Install]
WantedBy = multi-user.target

etc/pki/tls/myca/sh/ocsp-start-rca.sh ファイルの内容

#!/bin/bash
openssl ocsp -ignore_err -index /etc/pki/tls/myca/RCA/index.txt -CA /etc/pki/tls/myca/RCA/cacert.pem -rsigner /etc/pki/tls/myca/RCA/cacert.pem -rkey /etc/pki/tls/myca/RCA/private/cakey-no-pass.pem -port 8080 -ndays 7
exit 0;

etc/pki/tls/myca/sh/ocsp-start-sca01.sh ファイルの内容

#!/bin/bash
openssl ocsp -ignore_err -index /etc/pki/tls/myca/SCA01/index.txt -CA /etc/pki/tls/myca/SCA01/cacert.pem -rsigner /etc/pki/tls/myca/SCA01/cacert.pem -rkey /etc/pki/tls/myca/SCA01/private/cakey-no-pass.pem -port 8081 -ndays 7
exit 0;

/etc/pki/tls/myca/sh/ocsp-stop.sh ファイルの内容

#!/bin/bash
killall openssl
exit 0;

実行権限を付与

chmod 744 /etc/systemd/system/ocsp1.service
chmod 744 /etc/systemd/system/ocsp2.service
chmod 744 /etc/pki/tls/myca/sh/ocsp-start-rca.sh
chmod 744 /etc/pki/tls/myca/sh/ocsp-start-sca01.sh
chmod 744 /etc/pki/tls/myca/sh/ocsp-stop.sh

サービスの開始は、以下のコマンドで実行。

systemctl start ocsp1.service
systemctl start ocsp2.service

サービスの終了は、以下のコマンドで実行。(以下のコマンドで2つのサービスを停止)

systemctl stop ocsp1.service

サービスの自動起動設定は、以下のコマンドで実行。

systemctl enable ocsp1.service
systemctl enable ocsp2.service

サービスの状態は、以下で確認。

systemctl status ocsp1.service
systemctl status ocsp2.service

全サービスの状態は以下で確認。

systemctl list-units --type=service

タイトルとURLをコピーしました