Test CRL signing
In this section, we test CRL signing and OCSP Database creation. To simplify this demonstration, we pull certificates from a Defense Information Systems Agency (DISA) repository.
Go to the Add Certificates menu, select CA Certificates [OCSP Protocol], then select [ Submit ].
Select LDAP Server, then select [ Submit Certificate Import Method ].
On the Important Certificates from LDAP Server page, set the Host Name to "crl.chamb.disa.mil". Leave all of the other fields as default and select [ Get LDAP Certificates ].
At the time of this writing, DISA supports port 389 for importing certificates from their LDAP server. However, recently they announced that soon they will only support Secure LDAP (LDAPS), which uses port 636. If port 389 does not work for you, attempt to use port 636 anonymously instead.
If the VA Server connects to the LDAP server successfully, you will see a list of certificates on the next page. Scroll to the bottom and select [ Submit Certificates ].
Expect to see the following error:
This can be disregarded. It just means that at least one certificate out of approximately 50 failed to load. Select [ Go Back ].
Scroll to the bottom of the Configure VA Certificate Store page and select [ Next Step ].
On the Configure CRL Imports page, leave in an LDAP Directory selected as the CRL Source and select [ Add CRL Source ].
On the Configure CRL Import (LDAP) page we'll see that the LDAP Host field is auto-populated with the address we previously entered. Leave all of the fields as-is and select [ Find Available CRLs ] at the bottom.
Scroll to the bottom of the Available CRLs for Import page and select [ Schedule Import of Checked CRLS ].
Select [ Next Step ] on the Configure CRL Imports page.
On the Configure Server URLS page everything can be left as default as long as port 80 is available on the machine (by default the server URL is configured to use port 80). If port 80 is taken you can either free it up so that it can be used by Axway VA, or you can configure a different port. Once you've finished configuring the server URLs, select [ Submit ].
On Windows, sometimes the IIS service will have port 80 reserved. On Linux, sometimes the Apache service will have port 80 reserved.
If the request is successful you will see the following message:
Select [ Next Step ].
Leave all of the settings as default on the VA Responder Server Configuration Parameters page and select [ Submit Configuration Parameters ].
You should see the following message:
Select [ Next Step ].
On the Start/Stop Server page, type in the password of the server, then select [ Start Server ].
If the server starts successfully the Start Server button will become grayed out and the Stop Server button will become clickable.
Go to Server Settings > CA options.
Select the DOD EMAIL CA-41 CA, then select [ Configure CA Options ] at the top of the page.
On the VA Responder CA Options Configuration page there are two settings that need to be modified:
- Under OCSP Response Settings, change the Validity period of CRL to the next 7 days.
- Under Pre-computation Options, check the Pre-compute OCSP Data checkbox, then select Only Revoked Certificates.
Select [ Submit CA Configuration Parameters ] at the bottom of the page. You should see a message that the CA configuration options have been successfully modified.
Go back to Server Settings > CA options.
Select the DOD EMAIL CA-41 CA, then select [ Configure CA Specific OCSP Signing Certificate ] at the top of the page.
On the Set CA Specific OCSP Signing Certificate page you will be able to see the OCSP signing key that was created earlier on the HSM.
Select [ Submit ] and you should see a message saying that it successfully set CA Specific OCSP Signing certificate/key.
Go to the Start/Stop Server page, enter the password, then select [ Stop Server ].
Go to CRLs > CRLs & OCSP Databases. Find DOD EMAIL CA-41 and select [ Flush CRLs ].
Disregard the warning and proceed by selecting [ Flush CRL and OCSP DB Information ]. You should see a message that the CRLs and OCSP databases for the specified CA have been cleaned successfully.
Go to the Start/Stop Server page, enter the password, then select [ Start Server ].
Go to CRLs > CRLs & OCSP Databases. Find DOD EMAIL CA-41 and in the OCSP response database field verify the CRLs have finished downloading and the OCSP database has been successfully created.
You should see a list including the Subject, Issuer, Serial number, Last Fetch data, etc. This result confirms that VA Server was able to use the OCSP response signing key stored on the HSM to sign the CRLs that were downloaded for DOD EMAIL CA-41.