6

We can configure OCSP in tomcat using, 

    <Connector port="8443"
   protocol="org.apache.coyote.http11.Http11AprProtocol"
   secure="true" scheme="https"
   SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
   SSLCertificateKeyFile="/path/to/ocsp-cert.key"
   SSLCACertificateFile="/path/to/ca.pem"
   SSLVerifyClient="require"
   SSLVerifyDepth="10"
   clientAuth="true"/>

As mentioned in tomcat documentation, https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Using_OCSP_Certificates

But from that documentation I didn't get where OCSP is performed whether on server side(For revocating client certificate) or client side(for revocating server certificate) ?

harish chava
  • 252
  • 2
  • 19
  • 1
    In general OCSP can be performed by any relier, but Tomcat is a server so giving it an OCSP-enabled cert for presentation to clients allows the clients to validate the server cert. – dave_thompson_085 Jun 29 '18 at 14:19
  • So by above configuration client( browser) uses OCSP method for revocating server certificate and the OCSP url is taken from server cetificate. How can I have OCSP configured at server side for client certificate revocation checks ? – harish chava Jun 29 '18 at 14:55
  • The above configuration have **SSLVerifyClient** attribute sets to **require**, So if the client certificate have OCSP url provided then server automatically performs OCSP for client certificate revocation ? – harish chava Jun 29 '18 at 15:01
  • For implementing client certificate revocation using OCSP configuring tomcat only will be enough or do I need to write any custom class for **X509TrustManager** which is in JSSE tomcat configuration ? – harish chava Jul 02 '18 at 11:31
  • You are using APR aka tomcat-native which uses OpenSSL (not JSSE), and OpenSSL's cert validation does not do OCSP; I don't know if the Apache layer adds it, and don't have time to investigate right now, sorry. It might be quicker to just test it. – dave_thompson_085 Jul 03 '18 at 07:25
  • @dave_thompson_085 Is there any way of implementing the same using tomcat JSSE(NIO/BIO) connector ? I started with JSSE only But I didn't find any way with JSSE, so I shifted to APR protocol for client certificate revocation. – harish chava Jul 03 '18 at 13:11
  • [The Java validator can be configured for OCSP](https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppC) (not default) only when CRL checking is used. According to the Tomcat source I have on hand (8.0.36) this happens (only) if you configure crlFile (an empty file should be okay for `cf.generateCRLs()`), but 8.5 and 9.0 change SSL/TLS config substantially and I haven't looked at them in detail yet. – dave_thompson_085 Jul 05 '18 at 02:41

0 Answers0