Carbon Black uses a certificate chain file to perform a proper OCSP stapling.
You can generate a certificate chain by using any online Certificate Chain Composer. The following procedure is an example of creating the certificate chain by using the Certificate Chain Composer.
Procedure
- Edit the certificate sgw_certificate.pem in a plain text editor and copy all the content together with
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
If your certificate already has the chain, copy only the first occurrence of
-----BEGIN CERTIFICATE----- and
-----END CERTIFICATE-----.
- Paste the content in the text box on the Certificate Chain Composer site and click Compose.
The tool generates the entire chain of certificates – your own certificate and all the certificates that are used to sign your certificate. You can view the certificate chain in the lower half of the page.
- Copy the content and paste it in a plain text editor.
Note: Delete the section that corresponds to the section in your certificate from
-----BEGIN CERTIFICATE----- to
-----END CERTIFICATE-----.
- Save the file as sgw_chain.pem.
- Copy the sgw_chain.pem file in the /data/certs directory on the server hosting the Sensor Gateway.
- To ensure that the OCSP Stapling works correctly for the Sensor Gateway, run the following commands:
-
openssl x509 -noout -ocsp_uri -in sgw_certificate.pem
Outputs the OCSP responder URL for your certificate.
-
openssl ocsp -issuer sgw_chain.pem -cert sgw_certificate.pem -verify_other sgw_chain.pem -CAfile sgw_chain.pem -no_nonce -url <OCSP Responder URL from Previous Command>
Outputs the response from the OCSP Responder. For example,
sgw_certificate.pem: good
This Update: Jul 18 15:35:01 2023 GMT
Next Update: Jul 25 15:35:00 2023 GMT
If there is no response, check the network connectivity and firewall configuration to confirm that the OCSP response is received from the OCSP responder.
