OCSP responder written in Go
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Jan Dittberner 745e0ee28a Set service type to exec
Let systemctl start fail when cacert-goocsp cannot be started
1 year ago
cmd/cacertocsp Make loglevel configurable 1 year ago
debian Run service as separate user 1 year ago
docs Set service type to exec 1 year ago
pkg Fix concurrent map access 1 year ago
.gitignore Add goreleaser configuration 2 years ago
.golangci.yml Fix golangci-lint warnings 2 years ago
.goreleaser.yml Add metadata for Debian packages 1 year ago
LICENSE.txt Add license and inline documentation 2 years ago
README.md Document actual features and Debian package 1 year ago
changelog.md Run service as separate user 1 year ago
go.mod Change module name to code.cacert.org/cacert/goocsp 2 years ago
go.sum Add test, include extensions support 2 years ago

README.md

OCSP responder for CAcert

This project aims to provide an OCSP responder implementation for CAcert.

License

The project is licensed under the terms of the Apache License Version 2.0. See LICENSE.txt for details.

Features

The responder supports either openssl ca's index.txt files or DER encoded CRL files.

Certificates not listed in index.txt files will be answered as unknown if openssl index.txt files are used.

Certificates not recorded in CRLs are answered as good if CRLs are used.

The responder supports multiple CA certificates. The responder supports multiple OCSP signing certificates

Responses are signed and contain the signing certificate.

Configuration format

The responder is configured using a YAML configuration file config.yaml in the working directory or specified via the -configFile command line parameter.

Example:

---
issuers:
  - caCertificate: ca1/rootCA.pem
    responderCertificate: ca1/resp.crt.pem
    responderKey: ca1/resp.key.pem
    certificateList: ca1/index.txt
  - caCertificate: ca2/rootCA.pem
    responderCertificate: ca2/resp.crt.pem
    responderKey: ca2/resp.key.pem
    certificateList: ca2/index.txt

The source code repository contains examples for both certificate database modes in the docs/ directory.

Supported configuration keys are:

  • issuer: a list of supported issuer CAs with the following sub keys:

    • caCertificate: the PEM encoded X.509 CA certificate
    • responderCertificate: the PEM encoded OCSP responder certificate
    • responderKey: the PEM encoded OCSP responder private key. The key must be in PKCS#8 or PKCS#1 format
    • certificateList: an openssl ca formatted index.txt containing the certificate status of issued certificates

All file names may either be given as absolute paths or paths relative to the working directory. The file specified in certificateList is watched for changes. The certificate database is automatically reloaded when a change is detected.

Command line parameters

The responder supports a command line parameter -serverAddr that allows the specification of the listening port and address. The default for -serverAddr is :8080.

The Debian packages

The Debian packages install the example configuration files in /usr/share/doc/cacert-goocsp/examples/. The packages come with a systemd service unit and create a system user cacert-goocsp. You need to create /etc/goocsp/config.yaml and run systemctl enable cacert-goocsp.service and systemctl start cacert-goocsp.service to run the OCSP responder.

The recommended directory for the certificate status database files is /var/lib/goocsp. This directory is created by the postinst script in the Debian package.

The files specified in the configuration file must be readable by the cacert-goocsp user.