If you followed previous posts, you should now have working cfssl configuration and server. All that is left is how to revoke certificates and running OCSP responder to verify certificates.

So, now you have cfssl API server for signing certificates and revoking them, running on localhost:8888.

To revoke certificate, you need serial number of certificate, it’s X509v3 Authority Key Identifier and a reason….

First two, you can get by issuing following command

cfssl certinfo -cert my-client.pem

You could use openssl command to get info, but openssl outputs serial number in hexadecimal format (depends on size of serial number), but cfssl expects serial number to be in decimal format…

Also, cfssl expects X509v3 Authority Key Identifier to be all in lower case, and without ‘:’ (in hexadecimal format!).

So, to revoke certificate

curl -d '{"serial": "296772827689808528142468875101369661084351414862","authority_key_id":"ced957d987cbad5c2a80a84d8784ad60d241ba86","reason":"superseded"}' localhost:8888/api/v1/cfssl/revoke

and if everything went OK, you should get


otherwise you will get error message explaining what went wrong…

Now, there are some caveats with cfss OCSP responder… It’s doesn’t update OCSP table on the fly, and responder also isn’t updated on the fly.
So, when you issue or revoke certificate, you need to update OCSP table and dump it’s data to file, and restart OCSP responder…

So, you have issued some certificates and/or revoked. You first need to do ocsprefresh with following command

cfssl ocsprefresh -db-config sqlite_db.conf -responder OCSP/ocsp.pem -responder-key OCSP/ocsp-key.pem -ca intermediateCA.pem
  • sqlite_db.conf is same as the one for cfssl API server.
  • responder and responder-key are certificate and private key of OCSP responder, and
  • ca is intermediateCA/OCSP issuer certificate

So, now table for OCSP is updated, and you need to dump it to file to serve it…

cfssl ocspdump -db-config sqlite_db.conf > ocspdump.txt

And finally, you can start OCSP responder

cfssl ocspserve -address= -port=8889 -responses=ocspdump.txt

To check it, use openssl

openssl ocsp -issuer intermediateCA.pem -no_nonce -cert my-client.pem -CAfile bundleCA.pem -url

One important this is that you need to refresh/regenerate OCSP responses when you revoke certificate, and when you issue a new one!

And that’s it! You should now have correctly configured cfssl API server for issuing, signing, and revoking certificates, and also OCSP responder…