OCSP CRL Fallback Service is an OCSP server adapter for certificate revocation lists (CRLs). It acts like an OCSP server and returns "good" OCSP responses for all certificates which are not in revocation lists and "revoked" responses for all the certificates which are in the revocation lists.
- Java 17 JDK
Generate self-signed OCSP certificate and key:
- Run
docker run --rm -v ./:/work -w /work alpine/openssl:3.5.4 req -batch -x509 -new -utf8 -text -not_before 20260106060000Z -not_after 20560106060000Z -noenc -newkey ec -pkeyopt ec_paramgen_curve:P-384 -keyout src/main/resources/ocsp-certificate/ocsp.key.pem -out src/main/resources/ocsp-certificate/ocsp.cer.pem -sha384 -subj '/CN=local-ocsp' -addext basicConstraints=CA:false -addext keyUsage=digitalSignature -addext extendedKeyUsage=OCSPSigning
Edit src/main/resources/application.yml file as instructed by "Configuration" paragraph below.
Build and run the application:
./mvnw spring-boot:run- Build
- Either build locally
./mvnw spring-boot:build-image
- Or build in Docker
Git Bash users on Windows should add
docker run --pull always --rm -u $(id -u):$(id -g) \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "$HOME/.m2:/root/.m2" \ -v "$PWD:/usr/src/project" \ -w /usr/src/project \ maven:3.9-eclipse-temurin-17 \ mvn spring-boot:build-image
MSYS_NO_PATHCONV=1in front of the command.
- Either build locally
- https://localhost:14443/ - OCSP service
- https://localhost:14443/actuator - maintenance endpoints
| Parameter | Mandatory | Description, example |
|---|---|---|
spring.ssl.bundle.pem.tls.keystore.certificate |
Yes | PEM-formatted TLS certificate used by application's HTTPS endpoints. Can be provided by path to file or by inlining it either directly into YAML or by using Base64. See the Spring Boot documentation for details. |
spring.ssl.bundle.pem.tls.keystore.private-key |
Yes | PEM-formatted TLS private key used by application's HTTPS endpoints. Can be provided by path to file or by inlining it either directly into YAML or by using Base64. See the Spring Boot documentation for details. |
spring.ssl.bundle.pem.ocsp.keystore.certificate |
Yes | PEM-formatted OCSP certificate. Can be provided by path to file or by inlining it either directly into YAML or by using Base64. See the Spring Boot documentation for details. |
spring.ssl.bundle.pem.ocsp.keystore.private-key |
Yes | PEM-formatted TLS private key used by application's HTTPS endpoints. Can be provided by path to file or by inlining it either directly into YAML or by using Base64. See the Spring Boot documentation for details. |
| Parameter | Mandatory | Description, example |
|---|---|---|
ocsp-crl-fallback.crl-loading-interval |
No | Interval for downloading updated CRL-s from remote sources. Default value is 30 seconds. See the exact format from JavaDoc. Example: 60s |
ocsp-crl-fallback.certificate-chains |
No | List of CRLs to download |
ocsp-crl-fallback.certificate-chains[].name |
Yes | Name for the certificate chain. The downloaded CRL files will be named <certificate-chain-name>.crl |
ocsp-crl-fallback.certificate-chains[].issuer-certificate |
Yes | Issuer certificate for the particular certificate chain |
ocsp-crl-fallback.certificate-chains[].crl-download |
Yes | Data needed to download a specific CRL |
ocsp-crl-fallback.certificate-chains[].crl-download.url |
Yes | URL to download the CRL from |
ocsp-crl-fallback.certificate-chains[].crl-download.timeout |
Yes | Timeout for downloading the CRL. 30s by default. See allowed formats here. |
ocsp-crl-fallback.certificate-chains[].crl-download.tls-truststore-bundle |
No | TLS truststore bundle with the HTTPS certificate for CRL download URL. This parameter refers to the bundles defined under spring.ssl.bundle.pem.* setting. It is not used for HTTP URLs. If this parameter is undefined and an HTTPS URL is specified for downloading the CRL, the default Java truststore is used instead. |
ocsp-crl-fallback.tmp-path |
Yes | Temporary directory to download CRLs into. Example: /var/cache/ocspcrl/tmp |
- Maven Wrapper - Apache 2.0 license