Sometimes, X.509 certificates need to be revoked. One way that can happen is via CRL (Certificate Revocation List), but that’s a topic for another time. Today we’ll focus on OCSP (Online Certificate Status Protocol).
The OCSP protocol is designed to allow a client to send a real-time query to a certificate authority’s OCSP responder, which replies with a signed status indicating whether a specific certificate is valid, revoked, or unknown. In the case of OCSP-Stapling, the request is done by the server and then it “staples” it directly to the TLS handshake — so the client gets the certificate status without making a separate request.
Not only does wolfSSL support this in the client and server but we also have an OCSP responder as well.
There are 4 flags for OCSP and OCSP-stapling:
| Feature | Build Flag |
|---|---|
| OCSP client (basic revocation checking) | –enable-ocsp |
| OCSP Stapling (TLS Certificate Status Request, RFC 6066) | –enable-ocspstapling |
| OCSP Stapling v2 (multi-staple) | –enable-ocspstapling2 |
| OCSP Responder | –enable-ocsp-responder |
You can run the example server, client and OCSP responder with the -? command line parameter to get usage information and help. In the server.c and client.c examples source you can search for the HAVE_OCSP macros to get a better idea of how to use the related APIs and how they can fit into your application.
As a quick-start, build with the following configuration:
./configure --enable-ocsp --enable-ocspstapling --enable-ocspstapling2 --enable-ocsp-responder
Then use these three commands in separate terminals:
examples/ocsp_responder/ocsp_responder -v -p 22221 \
-i certs/ocsp/index-intermediate1-ca-issued-certs.txt
-c certs/ocsp/intermediate1-ca-cert.pem
-k certs/ocsp/intermediate1-ca-key.pem
./examples/server/server -p 11111 \
-c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem
./examples/client/client -C -W 1 -p 11111 \
-A certs/ocsp/root-ca-cert.pem
This will yield a successful connection. Replace the server command with the following to see a case of revocation:
./examples/server/server -p 11111 \
-c certs/ocsp/server2-cert.pem \
-k certs/ocsp/server2-key.pem
For more in-depth usages of our OCSP features, please have a look our wolfSSL Examples.
As you get further into your journey into secure protocols, you will inevitably find the need to revoke certificates. Let us help you do that. Any further questions you have can go to support@wolfssl.com.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now