OCSP Status Codes

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OCSP Status Codes

Richard J. Van Horn

hello everyone - first time post.

I am implementing certificate based authentication on an Apache server (2.4.39) with OCSP enabled.  An end user must have a valid digital certificate from a trusted CA to access my Web site.

Here are the Apache directives:

    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/manage.pseudo-nym.com.cert
    SSLCertificateKeyFile /etc/pki/tls/private/manage.pseudo-nym.com.key
    SSLCertificateChainFile /etc/pki/tls/certs/manage.pseudo-nym.com.bundle
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1
    SSLCACertificateFile /etc/pki/tls/certs/PseudoNymCAManagement.cacert.pem
    SSLVerifyClient on
    SSLVerifyDepth  10
    SSLOptions +StdEnvVars +ExportCertData
    SSLOCSPEnable leaf
    SSLOCSPDefaultResponder "http://verify.pseudo-nym.com"
    SSLOCSPOverrideResponder on
    RewriteEngine On
    RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
    RewriteRule     (.*) http://www.pseudo-nym.com/content/no-credential [R]

Everything works well when 1) no client certificate is available (redirect to an external web page) and 2) a certificate is validated successfully (user is redirected to the web site).  

However, I am having a problem handling a revoked certificate.  Currently, when a user accesses my site with a revoked certificate, a default error is shown on a blank page: ERR_BAD_SSL_CLIENT_AUTH_CERT

I'd like to redirect the user to a more informational page. 

Is there a OCSP status similar to SSL_CLIENT_VERIFY that I can use to redirect the user? 

I've looked everywhere and can't find any information.

Thanks in advance.

--


Richard J. Van Horn