OCSP Request Logging

You can enable or disable logging of OCSP requests made to the Validation Responder. The information in this log can be useful in monitoring Validation Responder operations. OCSP request logs are similar in format to web server access logs.

You should enable this logging function.

If log signing is enabled, the Validation Responder will sign OCSP request log files when they are closed. This enables verification of the contents of OCSP Request log files. If the signing key is regenerated, then a password and a distinguished name are required.

1. Select the Enable OCSP Request Logging option.

2. To change the directory in which the logs are saved, edit the Directory field.

3. To change the name of the request log files, edit the Filename Pattern field.

   When opening new logs, the Validation Responder will automatically replace the special symbol %d in the log file name with a timestamp formatted according to the Date Format field. For example, the filename pattern ocsplog-%d.txt would produce file names like ocsplog-2009-01-30.txt when using the default date format.

4. To change the format of the timestamp included in log file names, edit the Date Format field. Use yyyy to include the 4-digit year, MM to include the two-digit month, dd to include the day of the month, HH to include the 24-hour hour, mm to include the minute and ss to include the second. For example, the format yyy-MM-dd produces dates such as 2009-01-30 for January 30th, 2009.

5. Specify the maximum amount of time that a log file remains open (in hours) in the Maximum Log Age field. The default is 24 hours. The Validation Responder opens a new log file at the end of the maximum log age time.

   A new OCSP request log file is created when the existing file has been opened for a specified period of time or reaches a specified size.

6. Specify the maximum size of the log file in the Maximum Log Size field. This property is specified in kilobytes. The default is 10MB.

7. To configure the data that is captured for each OCSP request that is received by the Validation Responder, select items in the Event Format list. Hold down the Control key while clicking an item in order to add or remove fields from the selection. The following fields are available:

   • sequence-number—Specifies a unique number for each OCSP event, beginning with 1, for use in detecting OCSP request log tampering. The size of this field is variable.

   • date—Specifies the date on which the transaction was completed, in UTC. The size of this field is 10 characters.

   • time—Specifies the time at which the transaction was completed, in UTC. The size of this field is 8 characters.

   • time-taken—Specifies the time, in milliseconds, taken to complete the transaction. The size of this field is variable.

   • method—Specifies the HTTP request method, GET or POST. The size of this field is up to 4 characters.

   • c-ip—Specifies the IP address of the client making the request. The size of this field is up to 15 characters

   • s-ip—Specifies the IP address of the server handling the request. The size of this field is up to 15 characters.

   • host—Specifies the value of the HTTP Host header in the request. The size of this field is variable.

   • signer-issuer—Specifies the distinguished name of the issuer of the certificate used to sign the request. The size of this field is variable.

   • signer-serial—Specifies the serial number of the certificate used to sign the request. The size of this field is variable.

   • signer-name—Specifies the subject name from the certificate used to sign the OCSP request. The size of this field is variable.

   • http-status—Specifies the HTTP status code returned. The size of this field is 3 characters.

   • cert-count—Specifies the number of certificates whose status was queried in the request. The size of this field is variable but is typically 1 character.

   • issuer-name—Specifies the distinguished name of the requested issuer, or the hex-encoded hash of the distinguished name if the issuer is not known. The size of this field is variable.

   • issuer-key—Specifies the hash of the requested issuer's public key. The size of this field is 40 characters.

   • serial—Specifies the requested serial number. The size of this field is variable.

   • nonce—Specifies whether a nonce was present in the request (1) or not (0). The size of this field is 1 character.

   • relay-url—Specifies the URL of the server to which the request was relayed (omitted if the request was serviced locally). The size of this field is variable.

   • this-update—Specifies the time at which the status of the certificate was known to be correct. The size of this field is 19 characters.

   • next-update—Specifies the time at or before which newer information about the status of the certificate will be available. The size of this field is 19 characters.

   • response-status—Specifies the contents of the responseStatus code in the response. The size of this field is 1 character.

   • response-type—Specifies the type of OCSP response returned, if the responseStatus was “successful”. If the responseStatus is other than “successful”, then the field is omitted. The size of this field is 20 characters.

   • cert-status—If the responseStatus is "successful", then this specifies the contents of the certStatus code in the response. If the responseStatus is other than "successful", then the field is omitted. The size of this field is 1 character.

   • request—Specifies the full base-64 encoded OCSP request. The size of this field is variable.

   • response—Specifies the full base-64 encoded OCSP response. The size of this field is variable.

   By default, the following fields are configured: date, time, time-taken, c-ip, issuer-name, serial, and response-status.

8. Enter the appropriate parameters in the HTTP Request Headers field.

9. To configure the Validation Responder to digitally sign each log file, select the Enable Log Signing option. The rest of the log signing options will become available.

10. To create a PKCS#10 certificate request issued by the Validation Responder’s log signing key pair, select the Create Certificate Request option. When you click Next, the Base64-encoded certificate request will be shown on the page.

11. To regenerate the Validation Responder’s log signing key pair, select the Regenerate Log Signing Key option. You must select this option when initially configuring log signing to ensure that your Validation Responder uses a unique key pair and not the HID Global sample keys.

12. When you regenerate the Validation Responder log signing key pair, select the Save Password option to specify a protection password. Enter and confirm the password.

13. When you create a certificate request using the log signing key pair, you must specify a subject Distinguished Name for the certificate in the Distinguished Name field.

    Enter a distinguished name to be included in the request. Once you have a certificate signed by your CA upload it to the Validation Responder using this page. An example distinguished name is "CN=HIDGlobal" (without the quotes).

    Note: The OCSP request log signing keys are used ONLY to sign OCSP request logs to certify that the logs have not been altered by another party. This process is unrelated to the cryptographic operations involved in certificate revocation status checking.

14. Select the Upload Log Signing Certificate option to upload an existing certificate.

    You can upload a log signing certificate issued by a certificate authority by clicking the Browse button and selecting the certificate file. The public key in the certificate must correspond to the Validation Responder’s log signing private key.

15. Click Next.

    The page will reload and a PKCS#10 certificate request will appear at the top of the page.

    

16. Copy and paste the entire certificate request (including the “BEGIN” and “END” lines) for submission to a CA.

17. To update the OCSP Request Log Signing Certificate, click Browse, and then select the file from your local directory.

18. Click Save.