Test and validate configurations of OCSP Responder
Test and validate configurations the OSCP Response/Responder using KC vars:
KC_SPI_BABY_YODA_OCSP_ENABLED: "true"
KC_SPI_TRUSTSTORE_FILE_FILE: "/opt/keycloak/conf/truststore.jks"
KC_SPI_TRUSTSTORE_FILE_PASSWORD: "password"Builds off of issue: #201 (closed) and #138 (comment 2038936)
Tangentially: https://repo1.dso.mil/big-bang/product/plugins/keycloak-p1-auth-plugin/-/issues/46
Initial Synopsis: See: https://www.reddit.com/r/openssl/comments/17zcbi3/how_to_force_browsers_to_check_crl/
Steps:
- Setup a working CA and/or intermediate server (Guide: https://jamielinux.com/docs/openssl-certificate-authority/index.html, BounCA, LabCA etc)
- Create an index file containing a list of current valid/revoked/expired certificates. (Otherwise known as the 'database' file in OpenSSL terminology)
- Create the public certificate of your CA, or chain of the CA and intermediate.
- Instantiate an OCSP signing keypair from your CA or intermediate. (Guide: https://bhashineen.medium.com/create-your-own-ocsp-server-ffb212df8e63)
- Setup an OCSP Responder as a container/server: https://hub.docker.com/r/wackysysadmin/ocsp-responder
See also: https://github.com/wackysysadmin/ocsp-responder-container
Edited by kipten