Skip to content

DoD PKI and the Beat of a Different Drummer, Part 1

So, several years after first implementing the use of client and server x.509 certificates, DoD finally stands up an OCSP service. Good thing, because the relevant CRL files total over 200 megabytes, with some of them having a lifetime as brief as 18 hours.

But, they had to do it a little differently. For starters self-signed certs are used for signing the responses. That caused some problems for my DoD client because Apache mod_ssl assumes the OCSP responses will be signed in the CA cert chain. With a little prodding from me Dr. Stephen Henson of OpenSSL fame came up with a patch to implement a new directive to specify trusted signer certs:

This patch implements the two configuration directives

SSLOCSPResponderCertificateFile file
SSLOCSPResponderCertificateFile Set of trusted PEM encoded OCSP responder certificates

Also available in in httpd 2.3 and later, if using OpenSSL 0.9.7 or later.

“This supplies a list of trusted OCSP responder certificates to be used during OCSP responder certificate validation. The supplied certificates are implicitly trusted without any further validation. This is typically used where the OCSP responder certificate is self signed or omitted from the OCSP response.”

Opinions expressed herein are not necessarily those of Veridical Systems, OpenSSL, DoD, the author's evil twin Skippy, or anyone else possibly including the author himself.