Re: How to configure Tomcat for OCSP stapling?

[Mark Boon]

Hi Mark Thomas,

Thanks for the pointer. However, that comment you posted there is 4 years old. 
Any news on the matter since then at all? Has OCSP Stapling support for NIO 
connectors since made it into Java 9?

Mark Boon

On 5/30/18, 12:46 AM, "Mark Thomas"  wrote:

On 29/05/18 00:22, Mark Boon wrote:
> My company asked to enable OCSP stapling for our Tomcat server. I found
> the documentation about configuring a Tomcat OCSP Connector here:
> 
> 
https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D8.5-2Ddoc_ssl-2Dhowto.html-23Configuring-5FOCSP-5FConnector=DwIDaQ=uilaK90D4TOVoH58JNXRgQ=_kwXikaSZUUarF811P_o9Q=c9Hngb286HQ3waldNl7R5ScNf7kDJHlpVrzQqNdzrqA=Su_lL2hasSRZW0qqEbINeT1Cg6YL5lUjcf18mJXo0kA=
> 
>  
> 
> However, if I’m not mistaken those are instructions for how to set up an
> OCSP responder. But I think in my case, the OCSP responder is the CA
> that issued the certificate. What I need is to instruct Tomcat so that
> it makes the call to the OCSP responder that is specified in the CA
> signed certificate and ‘staples’ the resulting ticket to the certificate
> before presenting it to the client.
> 
>  
> 
> Does anyone know of a place with instructions how to do something like
> this? Or possibly I’m not quite understanding the process of OCSP
> stapling, in which case any pointers on what it means and how it works
> with Tomcat would be much appreciated.


https://urldefense.proofpoint.com/v2/url?u=https-3A__bz.apache.org_bugzilla_show-5Fbug.cgi-3Fid-3D56148=DwIDaQ=uilaK90D4TOVoH58JNXRgQ=_kwXikaSZUUarF811P_o9Q=c9Hngb286HQ3waldNl7R5ScNf7kDJHlpVrzQqNdzrqA=O87uG9CLTZkFihZww0qxd5jkZV6AaWhZ_KE5Kk2JKhU=

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure Tomcat for OCSP stapling?

[Mark Thomas]

On 29/05/18 00:22, Mark Boon wrote:
> My company asked to enable OCSP stapling for our Tomcat server. I found
> the documentation about configuring a Tomcat OCSP Connector here:
> 
> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Configuring_OCSP_Connector
> 
>  
> 
> However, if I’m not mistaken those are instructions for how to set up an
> OCSP responder. But I think in my case, the OCSP responder is the CA
> that issued the certificate. What I need is to instruct Tomcat so that
> it makes the call to the OCSP responder that is specified in the CA
> signed certificate and ‘staples’ the resulting ticket to the certificate
> before presenting it to the client.
> 
>  
> 
> Does anyone know of a place with instructions how to do something like
> this? Or possibly I’m not quite understanding the process of OCSP
> stapling, in which case any pointers on what it means and how it works
> with Tomcat would be much appreciated.

https://bz.apache.org/bugzilla/show_bug.cgi?id=56148

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure Tomcat for OCSP stapling?

[Coty Sutherland]

Hi,

On Mon, May 28, 2018 at 7:22 PM, Mark Boon  wrote:

> My company asked to enable OCSP stapling for our Tomcat server. I found
> the documentation about configuring a Tomcat OCSP Connector here:
>
> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#
> Configuring_OCSP_Connector
>
>
>
> However, if I’m not mistaken those are instructions for how to set up an
> OCSP responder. But I think in my case, the OCSP responder is the CA that
> issued the certificate. What I need is to instruct Tomcat so that it makes
> the call to the OCSP responder that is specified in the CA signed
> certificate and ‘staples’ the resulting ticket to the certificate before
> presenting it to the client.
>

You're correct. The configuration document does mention the OCSP responder,
but you really don't need to do anything special in tomcat to enable OCSP.
If your connector has certificateVerification or clientAuth enabled, then
tomcat will do the needful with the client certificate (including verify it
with OCSP if the OCSP url is present).


>
>
> Does anyone know of a place with instructions how to do something like
> this? Or possibly I’m not quite understanding the process of OCSP stapling,
> in which case any pointers on what it means and how it works with Tomcat
> would be much appreciated.
>
>
>
>
>
> *Mark Boon*
> *Staff Engineer*
> mb...@vmware.com
> 3401 Hillview Avenue, Palo Alto, CA 94304
> 
> 650.123.4567 Office
> 808.234.4892 Mobile
>
> [image: e] 
>
>
>

How to configure Tomcat for OCSP stapling?

[Mark Boon]

My company asked to enable OCSP stapling for our Tomcat server. I found the 
documentation about configuring a Tomcat OCSP Connector here:
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Configuring_OCSP_Connector

However, if I’m not mistaken those are instructions for how to set up an OCSP 
responder. But I think in my case, the OCSP responder is the CA that issued the 
certificate. What I need is to instruct Tomcat so that it makes the call to the 
OCSP responder that is specified in the CA signed certificate and ‘staples’ the 
resulting ticket to the certificate before presenting it to the client.

Does anyone know of a place with instructions how to do something like this? Or 
possibly I’m not quite understanding the process of OCSP stapling, in which 
case any pointers on what it means and how it works with Tomcat would be much 
appreciated.


Mark Boon
Staff Engineer
mb...@vmware.com
3401 Hillview Avenue, Palo Alto, CA 94304
650.123.4567 Office
808.234.4892 Mobile
[e]