tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1820279 - in /tomcat/trunk/webapps/docs: changelog.xml ssl-howto.xml
Date Fri, 05 Jan 2018 10:59:48 GMT
Author: markt
Date: Fri Jan  5 10:59:48 2018
New Revision: 1820279

Add OCSP configuration information to the SSL How-To.
Patch provided by Marek Czernek.


Modified: tomcat/trunk/webapps/docs/changelog.xml
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Jan  5 10:59:48 2018
@@ -158,6 +158,10 @@
         <bug>61910</bug>: Clarify the meaning of the <code>allowLinking</code>
         option in the documentation web application. (markt)
+      <add>
+        Add OCSP configuration information to the SSL How-To. Patch provided by
+        Marek Czernek. (markt)
+      </add>
   <subsection name="Other">

Modified: tomcat/trunk/webapps/docs/ssl-howto.xml
--- tomcat/trunk/webapps/docs/ssl-howto.xml (original)
+++ tomcat/trunk/webapps/docs/ssl-howto.xml Fri Jan  5 10:59:48 2018
@@ -425,6 +425,111 @@ After that you can proceed with importin
+<section name="Using OCSP Certificates">
+<p>To use Online Certificate Status Protocol (OCSP) with Apache Tomcat, ensure
+  you have downloaded, installed, and configured the
+  <a href="">
+    Tomcat Native Connector</a>.
+Furthermore, if you use the Windows platform, ensure you download the
+ocsp-enabled connector.</p>
+<p>To use OCSP, you require the following:</p>
+  <li>OCSP-enabled certificates</li>
+  <li>Tomcat with SSL APR connector</li>
+  <li>Configured OCSP responder</li>
+<subsection name="Generating OCSP-Enabled Certificates">
+<p>Apache Tomcat requires the OCSP-enabled certificate to have the OCSP
+  responder location encoded in the certificate. The basic OCSP-related
+  certificate authority settings in the <code>openssl.cnf</code> file could look
+  as follows:</p>
+#... omitted for brevity
+x509_extensions = v3_issued
+# The address of your responder
+authorityInfoAccess = OCSP;URI:
+keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign,encipherOnly,decipherOnly
+nsComment="Testing OCSP Certificate"
+#... omitted for brevity
+<p>The settings above encode the OCSP responder address
+  <code></code> into the certificate. Note that for the following
+   steps, you must have <code>openssl.cnf</code> and other configuration of
+   your CA ready. To generate an OCSP-enabled certificate:</p>
+  <li>
+    Create a private key:
+    <source>openssl genrsa -aes256 -out ocsp-cert.key 4096</source>
+  </li>
+  <li>
+    Create a signing request (CSR):
+    <source>openssl req -config openssl.cnf -new -sha256 \
+  -key ocsp-cert.key -out ocsp-cert.csr</source></li>
+  <li>
+    Sign the CSR:
+    <source>openssl ca -openssl.cnf -extensions ocsp -days 375 -notext \
+  -md sha256 -in ocsp-cert.csr -out ocsp-cert.crt</source>
+  </li>
+  <li>
+    You may verify the certificate:
+    <source>openssl x509 -noout -text -in ocsp-cert.crt</source>
+  </li>
+<subsection name="Configuring OCSP Connector">
+<p>To configure the OCSP connector, first verify that you are loading the Tomcat
+   APR library. Check the <a href="apr.html#Installation">
+   Apache Portable Runtime (APR) based Native library for Tomcat</a>
+for more information about installation of APR. A basic OCSP-enabled connector
+ definition in the <code>server.xml</code> file looks as follows:</p>
+<![CDATA[<Connector port="8443"
+   protocol="org.apache.coyote.http11.Http11AprProtocol"
+   secure="true" scheme="https"
+   SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
+   SSLCertificateKeyFile="/path/to/ocsp-cert.key"
+   SSLCACertificateFile="/path/to/ca.pem"
+   SSLVerifyClient="require"
+   SSLVerifyDepth="10"
+   clientAuth="true"/>]]>
+<subsection name="Starting OCSP Responder">
+  <p>Apache Tomcat will query an OCSP responder server to get the certificate
+  status. When testing, an easy way to create an OCSP responder is by executing
+   the following:
+  <source>openssl ocsp -port \
+    -text -sha256 -index index.txt \
+    -CA ca-chain.cert.pem -rkey ocsp-cert.key \
+    -rsigner ocsp-cert.crt</source> </p>
+ <p>Do note that when using OCSP, the responder encoded in the connector
+   certificate must be running. For further information, see
+   <a href="">
+     OCSP documentation
+   </a>.
+ </p>
 <section name="Troubleshooting">
 <p>Here is a list of common problems that you may encounter when setting up

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message