You can check the revocation status of the server certificate for a Hitachi Ops Center product by using the Online
Certificate Status Protocol (OCSP).
Note: If
the certificate has been revoked, you must renew it. Follow the procedure in Creating a private key and a certificate signing request (SSL Setup tool)
to request a new certificate and overwrite the existing one. You must also reconfigure the
SSL server settings and SSL client settings.
Verify that the following settings are configured on the management server:
- The OCSP responder is functioning. If you are unsure whether it is functioning, contact the certificate authority.
- The server certificate has the Authority Information Access (AIA) record that includes the correct address of the OCSP responder.
- The management server can access the OCSP responder and access is not blocked by a proxy.
To check whether the AIA record includes the correct address of the OCSP responder, you can use the openssl command. Check the address of the OCSP-URI field of the AIA record. If no address is set, contact the certificate authority that signed the server certificate. The following is the command syntax and an example of the command:
Command syntax:
echo "Q" | installation-directory-of-Common-Services/openssl/bin/openssl s_client -connect host-name-or-ip-address-of-product-URL:port-number-of-product-URL 2> /dev/null | openssl x509 -noout -text
Command example:
echo "Q" | /opt/hitachi/CommonService/openssl/bin/openssl s_client -connect example.com:443 2> /dev/null | openssl x509 -noout -text
You can check the revocation status of the server certificate in one of the following ways:
- Web browser: Checking the revocation status of the server certificate by using a web browser
- openssl command: Checking the revocation status of the server certificate by using a command
- Automatically by using cron: Checking the revocation status of the server certificate on a regular basis