[Pki-users] OCSP Responder with Multiple CA's

[Rick Tracy]

I have multiple CA's set up in multiple security domains.  I have set up a
separate OCSP responder that sits in the DMZ and I would like for it to
respond to OCSP requests for all of the CA's.  It seems to
be communicating with all the CA's ok...  I can pase a certificate from any
of the CA's into the Check Certificate Status form and it properly validates
it.  The problem that I am having is that when a client uses OCSP to
validate a certificate it appears to fail because the certificate used by
the OCSP responder to sign the response was not issued by the same CA that
issued the cert.  In the RHCS Deployment Guide (version 8.0) it states:

2.1.3.1. OCSP Response Signing

Every response that the client receives, including a rejection notification,
> is digitally signed by the responder; the client is expected to verify the
> signature to ensure that the response came from the responder to which it
> submitted the request. The key the responder uses to sign the message
> depends on how the OCSP responder is deployed in a PKI setup. RFC 2560
> recommends that the key used to sign the response belong to one of the
> following:

- The CA that issued the certificate that's status is being checked.
> - A responder with a public key trusted by the client. Such a responder is
> called a *trusted responder*.
> - A responder that holds a specially marked certificate issued to it
> directly by the CA that revokes the certificates and publishes the CRL.
> Possession of this certificate by a responder indicates that the CA has
> authorized the responder to issue OCSP responses for certificates revoked by
> the CA. Such a responder is called a *CA-designated responder* or a*CA-authorized
> responder.*


I don't think the first option is not available in my environment... the
CA's will have no direct access from the internet, which is part of the
reason we are using the OCSP responder.

The second option is not favored because I beleive it would require
distributing the OCSP responder certificate to all the client applications.

Which leaves the third option.  I have tried going through the wizard in
pkiconsole on the OCSP responder and creating OCSP signing certificate
requests for each of the CA's we are using, requesting them using the Manual
OCSP Manager Signing Certificate profiles on each CA and loading the signed
cert back in through the wizard.  But whenever it sends an OCSP response it
does not seem to pick the right key to sign the response.  Is there some
step I am missing to link a keys with CA's?  Is this even supported in
Dogtag?

Any help or pointers would be appreciated.


Thanks
RT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20110812/036f98c9/attachment.htm>