goocsp/README.md

50 lines
1.9 KiB
Markdown
Raw Normal View History

# OCSP responder for CAcert
This project aims to provide an OCSP responder implementation for CAcert.
## Requirements
2022-03-06 15:18:04 +00:00
* the sources for OCSP answers should be files in openssl ca's index.txt format as documented
in https://pki-tutorial.readthedocs.io/en/latest/cadb.html
* certificates that are not listed in those files will be answered as `unknown`
* the responder must support multiple CA certificates
* the responder must support multiple OCSP signing certificates
* responses must be signed
* responses must contain the signing certificate
2022-03-06 15:18:04 +00:00
## Configuration format
The responder is configured using a YAML configuration file `config.yaml` in the working directory.
Example:
```yaml
---
issuers:
- caCertificate: ca1/rootCA.pem
responderCertificate: ca1/resp.crt.pem
responderKey: ca1/resp.key.pem
certificateList: ca1/index.txt
- caCertificate: ca2/rootCA.pem
responderCertificate: ca2/resp.crt.pem
responderKey: ca2/resp.key.pem
certificateList: ca2/index.txt
```
Supported configuration keys are:
* `issuer`: a list of supported issuer CAs with the following sub keys:
* `caCertificate`: the PEM encoded X.509 CA certificate
* `responderCertificate`: the PEM encoded OCSP responder certificate
* `responderKey`: the PEM encoded OCSP responder private key. The key must be in PKCS#8 or PKCS#1 format
* `certificateList`: an openssl ca formatted `index.txt` containing the certificate status of issued certificates
All file names may either be given as absolute paths or paths relative to the working directory. The file specified in
`certificateList` is watched for changes. The certificate database is automatically reloaded when a change is detected.
# Command line parameters
The responder supports a command line parameter `-serverAddr` that allows the specification of the listening port
and address. The default for `-serverAddr` is `:8080`.