Run a OCSP responder

OCSP, or the Online Certificate Status Protocol provides a second method (besides CRLs) for a client to find out if a certificate has been revoked.

Configure OCSP with django-ca

django-ca provides generic HTTP endpoints for an OCSP service for your certificate authorities. The setup involves:

  1. Creating a responder certificate
  2. Configure generic views
  3. Add a OCSP URL to the new certificate

New in version 1.2: Before version 1.2, django-ca was not able to host its own OCSP responder.

Create an OCSP responser certificate

To run an OCSP responder, you first need a certificate with some special properties. Luckily, django-ca has a profile predefined for you:

$ openssl genrsa -out ocsp.key 4096
$ openssl req -new -key ocsp.key -out ocsp.csr -utf8 -batch
$ python sign_cert --csr=ocsp.csr --out=ocsp.pem \
>     --subject / --ocsp


The CommonName in the certificates subject must match the domain where you host your django-ca installation.

Configure generic views

The final step in configuring an OCSP responder for the CA is configuring the HTTP endpoint. If you’ve installed django-ca as a full project or include django_ca.urls in your root URL config, configure the CA_OCSP_URLS setting. It’s a dictionary configuring instances of OCSPView. Keys become part of the URL pattern, the value is a dictionary for the arguments of the view. For example:

    'Root CA': {
        'responder_key': '/usr/share/django-ca/ocsp.key',
        'responder_cert': '/usr/share/django-ca/ocsp.pem',

        # optional: The name or serial of the CA. By default, the dictionary key ("Root CA" in
        #           this example is assumed to be the CA name or serial.
        #'ca': '34:D6:02:B5:B8:27:4F:51:9A:16:0C:B8:56:B7:79:3F',

        # optional: How long OCSP responses are valid
        #'expires': 3600,

    # This URL can be added to any intermediate CA using the --ca-ocsp-url parameter
    'Root CA - intermediate': {
        # Dictionary key is not the name of the root CA, so we pass a serial instead:
        'ca': '34:D6:02:B5:B8:27:4F:51:9A:16:0C:B8:56:B7:79:3F',
        'responder_key': '/usr/share/django-ca/ocsp.key',
        'responder_cert': '/usr/share/django-ca/ocsp.pem',

        # optional: This URL serves OCSP responses for Child CAs, not signed enduser certs:
        #'ca_ocsp': True,

This would mean that your OCSP responder would be located at /django_ca/ocsp/root/ at whatever domain you have configured your WSGI daemon. If you’re using your own URL configuration, pass the same parameters to the as_view() method.

class django_ca.views.OCSPView(**kwargs)[source]

View to provide an OCSP responder.

ca = None

The name or serial of your Certificate Authority.

ca_ocsp = False

If set to True, validate child CAs instead.

expires = 600

Time in seconds that the responses remain valid. The default is 600 seconds or ten minutes.

responder_cert = None

Absolute path to the public key used for signing OCSP responses. May also be a serial identifying a certificate from the database.

responder_key = None

Absolute path to the private key used for signing OCSP responses.

Add OCSP URL to new certificates

To include the URL to an OCSP service to newly issued certificates (you cannot add it to already issued certificates, obviously), either set it in the admin interface or via the command line:

$ python list_cas
34:D6:02:B5:B8:27:4F:51:9A:16:0C:B8:56:B7:79:3F - Root CA
$ python edit_ca --ocsp-url= \
>     34:D6:02:B5:B8:27:4F:51:9A:16:0C:B8:56:B7:79:3F

Run an OCSP responser with openssl ocsp

OpenSSL ships with the openssl ocsp command that allows you to run an OCSP responser, but note that the manpage says “only useful for test and demonstration purposes”.

To use the command, generate an index:

$ python dump_ocsp_index ocsp.index

OpenSSL itself allows you to run an OCSP responder with this command:

$ openssl ocsp -index ocsp.index -port 8888 -rsigner ocsp.pem \
>     -rkey -CA files/ca.crt -text