Checking the revocation status of the server certificate

Ops Center Installation and Configuration Guide

Version
11.0.x
Audience
anonymous
Part Number
MK-99OPS001-23
You can check the revocation status of the server certificate for a Hitachi Ops Center product by using the Online Certificate Status Protocol (OCSP).
Note: If the certificate has been revoked, you must renew it. Follow the procedure in Creating a private key and a certificate signing request (SSL Setup tool) to request a new certificate and overwrite the existing one. You must also reconfigure the SSL server settings and SSL client settings.

Verify that the following settings are configured on the management server:

  • The OCSP responder is functioning. If you are unsure whether it is functioning, contact the certificate authority.
  • The server certificate has the Authority Information Access (AIA) record that includes the correct address of the OCSP responder.
  • The management server can access the OCSP responder and access is not blocked by a proxy.

To check whether the AIA record includes the correct address of the OCSP responder, you can use the openssl command. Check the address of the OCSP-URI field of the AIA record. If no address is set, contact the certificate authority that signed the server certificate. The following is the command syntax and an example of the command:

Command syntax:

echo "Q" | installation-directory-of-Common-Services/openssl/bin/openssl s_client -connect host-name-or-ip-address-of-product-URL:port-number-of-product-URL 2> /dev/null | openssl x509 -noout -text

Command example:

echo "Q" | /opt/hitachi/CommonService/openssl/bin/openssl s_client -connect example.com:443 2> /dev/null | openssl x509 -noout -text

You can check the revocation status of the server certificate in one of the following ways: