Use self signed key binding cert. for OCSP responder

[StocktonC]

i follow the below step to setup OCSP responder cert. and its work.

1. bin/ejbca.sh ca importcacert OCSP_CA /home/tomas/tmp/OCSP_CA.pem
2. bin/ejbca.sh cryptotoken create OCSPCryptoToken foo123 true SoftCryptoToken true
3. bin/ejbca.sh cryptotoken generatekey OCSPCryptoToken ocspsignkey RSA2048
4. bin/ejbca.sh keybind create OCSP_CA_KeyBinding OcspKeyBinding DISABLED null OCSPCryptoToken ocspsignkey SHA256WithRSA -nonexistingisgood=false -includecertchain=true
5. bin/ejbca.sh keybind gencsr OCSP_CA_KeyBinding csr.pem

(send the csr to OCSP_CA and get signed certificate back)

6. bin/ejbca.sh keybind import OCSP_CA_KeyBinding ocsp.pem
7. bin/ejbca.sh keybind setstatus OCSP_CA_KeyBinding ACTIVE

However, May i know that is it ok to use self signed cert. (with Key Usage: Digital Signature / Extended Key Usage: OCSPSigner) instead of send the CSR to external CA signing?

Thanks.

[primetomas]

Just a question, Peer Connectors in an Enterprise feature, so this doesn't really sounds like a Community question? Is that correct, or I missed something?

Cheers

[StocktonC]

for my issue, Is it possible import OCSP responder key from .p12 format file instead of generate a CSR for external to sign?

[svenska-primekey]

The only way that would work is to create a CA by importing the p12 into EJBCA. Otherwise you have to go the CSR route signed by a CA.

[StocktonC]

Finally, i found a way to break down the p12 file and import it into EJBCA by following steps: (looks there is no way to import the p12 into EJBCA directly)

1. ./bin/ejbca.sh ca importcacert OCSP_CA /home/tomas/tmp/OCSP_CA.pem
2. ./bin/ejbca.sh cryptotoken create OCSPCryptoToken CryptonTokenPwd true SoftCryptoToken true
3. Extract public key and private key from OCSP responders p12 file
   Extract public key certificate
   a. openssl pkcs12 -in OCSPKeyBind.p12 -clcerts -nokeys -out OCSPKeyBindCert.pem
   b. openssl x509 -pubkey -in OCSPKeyBindCert.pem -noout > OCSPKeyBindPubkey.pem
   Extract private key
   a. openssl pkcs12 -in OCSPKeyBind.p12 -nocerts -nodes | openssl rsa > OCSPKeyBindPrivateKey
4. ./bin/ejbca.sh cryptotoken importkeypair --token OCSPCryptoToken --privkey-file /home/src/cert/OCSPKeyBindPrivateKey --pubkey-file /home/src/cert/OCSPKeyBindPubkey.pem --alias ocspsignkey
5. ./bin/ejbca.sh keybind create --name OCSPKeyBinding --type OcspKeyBinding DISABLED null --token OCSPCryptoToken --alias ocspsignkey --sigalg SHA256WithRSA -nonexistingisgood=false -includecertchain=true
6. ./bin/ejbca.sh keybind import --name OCSPKeyBinding -f /home/src/cert/OCSPKeyBindCert.pem
7. ./bin/ejbca.sh keybind setstatus --name OCSPKeyBinding -v ACTIVE
8. ./bin/ejbca.sh ocsp setdefaultresponder –dname "AAA"