You're reading from Demystifying Cryptography with OpenSSL 3.0 Discover the best techniques to enhance your network security with OpenSSL 3.0

Product type Paperback

Published in Oct 2022

Publisher Packt

ISBN-13 9781800560345

Length 342 pages

Edition 1st Edition

Languages

Tools

Wireshark

Concepts

Cryptography

Author (1):

Alexei Khlebnikov

View More author details

Table of Contents (20) Chapters

Preface

1. Part 1: Introduction

2. Chapter 1: OpenSSL and Other SSL/TLS Libraries FREE CHAPTER

3. Part 2: Symmetric Cryptography

4. Chapter 2: Symmetric Encryption and Decryption

5. Chapter 3: Message Digests

6. Chapter 4: MAC and HMAC

7. Chapter 5: Derivation of an Encryption Key from a Password

8. Part 3: Asymmetric Cryptography and Certificates

9. Chapter 6: Asymmetric Encryption and Decryption

10. Chapter 7: Digital Signatures and Their Verification

11. Chapter 8: X.509 Certificates and PKI

12. Part 4: TLS Connections and Secure Communication

13. Chapter 9: Establishing TLS Connections and Sending Data over Them

14. Chapter 10: Using X.509 Certificates in TLS

15. Chapter 11: Special Usages of TLS

16. Part 5: Running a Mini-CA

17. Chapter 12: Running a Mini-CA

18. Index

Why subscribe?

19. Other Books You May Enjoy

Packt is searching for authors like you

Providing certificate revocation status via OCSP

To serve OCSP responses, we have to sign them. An OCSP response for a certificate can be signed by its issuer certificate. The same issuer can also issue another certificate for signing OCSP requests. That certificate must have OCSPSigning included in the X509v3 extendedKeyUsage extension.

When we created the intermediate CA config file, we included the following X509v3 extensions section:

[v3_ocsp_cert]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
crlDistributionPoints = URI:http://crl.tls-experts.no/intermediate_crl.der
authorityInfoAccess = OCSP;URI:http://ocsp.tls-experts.no/

That X509v3 extensions section will help us to generate a certificate for an OCSP responder. Let’s make this certificate: