Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create dual-stack OCSP chains #9

Open
Synchro opened this issue Jun 20, 2018 · 3 comments
Open

Create dual-stack OCSP chains #9

Synchro opened this issue Jun 20, 2018 · 3 comments
Labels
Priority: High Status: Review Needed Type: Enhancement

Comments

@Synchro
Copy link

Synchro commented Jun 20, 2018
edited

Further to #8, I'm very confused as to how to create valid OCSP certificate chains for dual stack (ECC + RSA) certificates. This comes up in things like nginx, where we can say:

ssl_certificate /etc/ssl/example.com.combined.crt;
ssl_certificate_key /etc/ssl/example.com.key;
ssl_certificate /etc/ssl/example.com-ecc.combined.crt;
ssl_certificate_key /etc/ssl/example.com-ecc.key;
ssl_trusted_certificate /etc/ssl/cert-bundle-rsa-ecc.crt;

so we have multiple certificates, but only a single opportunity to specify a trusted cert chain to use for OCSP. I don't know exactly how this should be formatted since it needs to contain 2 or more intermediate -> root chains, i.e. I don't know whether it should contain:

  • intermediate1
  • root1
  • intermediate2
  • root2

or

  • intermediate1
  • intermediate2
  • root1
  • root2

or, if they need to share a root (some ECC certs are signed using an RSA root):

  • intermediate1
  • intermediate2
  • root

So it would be very useful if sslmerge could help get this right.

(and yes, it is dumb that openssl can't figure out the cert order itself by matching IDs)
@trimstray
Copy link
Owner

Thx for this. Your suggestions are very helpful! Let me know more about the topic and I will try to answer it more broadly.

@trimstray
Copy link
Owner

@Synchro :

Creating correct certificate chains for OCSP is quite confusing - it would be very useful if sslmerge could generate them. As far as I can see it should include the intermediate and root certs, but not the leaf cert, so if a normal chain cert is leaf -> intermediate, the matching OCSP chain should be intermediate -> root. Since we already have --with-root, this could perhaps be combined with a new --without-leaf option to achieve this.

@trimstray trimstray mentioned this issue Jun 20, 2018
Closed
@Synchro
Copy link
Author

Synchro commented Jun 20, 2018

After a bit more investigation, it seems that this isn't possible in nginx or apache, so it's probably not worth pursuing. There have been issues raised in nginx about this, and a halfway patch that didn't seem to go anywhere. Their opinion is really that Expect-staple is a sort of abuse of OCSP stapling that is better managed by using short-lived certs, so they're not planning on solving the issue in nginx.

The simpler single OCSP chain generation in #8 would still be useful though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority: High Status: Review Needed Type: Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Synchro @trimstray