Carbon Black uses a certificate chain file to perform a proper OCSP stapling.
You can generate a certificate chain by using any online Certificate Chain Composer. For example, the
KeyCDN Tools. The following procedure is an example of creating the certificate chain by using the Certificate Chain Composer.
Procedure
- Edit the certificate sgw_certificate.pem in any editor of your choice and copy all the content along with
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
If your certificate has the chain already, you might want to copy only the first occurrence of
-----BEGIN CERTIFICATE----- and
-----END CERTIFICATE-----
- Paste the content in the text box on the Certificate Chain Composer site and click Compose.
The tool generates the entire chain of certificates – your own certificate and all the certificates that are used to sign your certificate. You can view the certificate chain in the lower half of the page.
- Copy the entire content and paste it in an editor of your choice.
Note: Delete the section that corresponds to the section in your certificate from
-----BEGIN CERTIFICATE----- to
-----END CERTIFICATE-----.
- Save it as the sgw_chain.pem file.
- Copy the sgw_chain.pem file in the /data/certs directory on the server hosting the Sensor Gateway.
- To ensure that the OCSP Stapling works correctly for the Sensor Gateway, run the following commands.
-
openssl x509 -noout -ocsp_uri -in sgw_certificate.pem
Prints out the OCSP responder URL for your certificate.
-
openssl ocsp -issuer sgw_chain.pem -cert sgw_certificate.pem -verify_other sgw_chain.pem -CAfile sgw_chain.pem -no_nonce -url <OCSP Responder URL from Previous Command>
Prints out the response from the OCSP Responder. For example,
sgw_certificate.pem: good
This Update: Jul 18 15:35:01 2023 GMT
Next Update: Jul 25 15:35:00 2023 GMT
If there is no response, you might check the network connectivity/firewall configuration to ensure that the OCSP response is received from the OCSP responder.
