Send the revocation status of a server certificate to a file as follows.
Register a command in cron and send the check results to a file.
-
Log in to the management server as the root user.
If you log in as an ordinary user, use the sudo command to complete the following procedure as the root
user.
-
Modify the crontab file. Run the following command.
For details on the command, see the crontab
documentation.
crontab -u root -e
-
Add a command to the crontab file for each product for which you want to check
revocation status.
The command you set differs depending on how the server
certificate of the product is referenced.
- If you check by downloading the certificate file from
the URL of the Hitachi Ops Center product:
-
Specify the time to download, the command to download
the server certificate, and the command to query the OCSP
responder in the following format.
* * * * * command-to-download-the-server-certificate;command-to-query-the-OCSP-responder
- Command syntax for downloading the server
certificate:
installation-directory-of-Common-Services/openssl/bin/openssl s_client -connect host-name-or-ip-address-of-product-URL:port-number-of-product-URL [-sigalgs Signature-Algorithm-list] < /dev/null 2> path-of-the-standard-error-output-file | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > path-of-download-destination-of-server-certificate
For products that use both RSA and ECDSA
server certificates, you must specify the command for
RSA and again for ECDSA. For the
-sigalgs option, specify the
following signature algorithm list:
For RSA:
RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512
For ECDSA:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512
- Command syntax for querying the OCSP
responder:
installation-directory-of-Common-Services/openssl/bin/openssl ocsp -no_nonce -issuer issuer-certificate -cert path-of-server-certificate -url OCSP-Responder-URI [ -proxy [http[s]://][userinfo-of-proxy@]host-name-or-IP-address-of-proxy[:port-number-of-proxy] [/path-of-proxy] ] [-CAfile root-certificate-of-the-OCSP-responder-server] -text -out path-of-the-file-to-which-the-results-are-output 2>> path-of-the-standard-error-output-file
- If you check by referencing the certificate file set for
the Hitachi Ops Center product:
-
Specify the execution time and the command to query
the OCSP responder in the following format.
* * * * * command-to-query-the-OCSP-responder
- Command syntax for querying the OCSP
responder:
installation-directory-of-Common-Services/openssl/bin/openssl ocsp -no_nonce -issuer issuer-certificate -cert path-of-server-certificate -url OCSP-Responder-URI [ -proxy [http[s]://][userinfo-of-proxy@]host-name-or-IP-address-of-proxy[:port-number-of-proxy] [/path-of-proxy] ] [-CAfile root-certificate-of-the-OCSP-responder-server] -text -out path-of-the-file-to-which-the-results-are-output 2> path-of-the-standard-error-output-file
Note:
- Specify the time to run each command. Specify a value
for "* * * * *". If you want to run the command every day at 4:00
a.m., specify "0 4 * * *". For details, see the crontab
documentation.
- Specify different paths for path-of-the-file-to-which-the-results-are-output and
path-of-the-standard-error-output-file for each
command.
- For the issuer-certificate for the command that queries the
OCSP responder, either specify the root certificate or, if there is
an intermediate certificate, specify the PEM-format certificate that
combines the root and intermediate certificates.
- To use a proxy for the command that queries the OCSP
responder, specify the -proxy option.
- If the Response Verify Failure error
is output to standard-error-output-file, specify the
-CAfile option.
- For details on the openssl command, see the openssl documentation.
-
Add a command for each product, specifying each command as described in step 3.
Example settings:
10 4 * * * command-for-product-1
20 4 * * * command-for-product-2
30 4 * * * command-for-product-3
…
-
After you finish specifying the commands, save the crontab file.
-
Run the following command to enable crond.service.
systemctl enable crond.service
-
Restart the service to apply the crond settings. Run the following
command.
- At the specified time, a file is output to the directory specified
in path-of-the-file-to-which-the-results-are-output. Check the value
of Cert Status in the output file.
- If the value is good: The server
certificate is valid.
- If the value is revoked: The server
certificate has been revoked.
- If the value is unknown: The status is
unknown.
- If the output file does not include the Cert
Status line, an error might have occurred. For details about the
error, check the file output to the directory specified in path-of-the-standard-error-output-file.