|
|
|
# OCSP responder for CAcert
|
|
|
|
|
|
|
|
This project aims to provide an OCSP responder implementation for CAcert.
|
|
|
|
|
|
|
|
## License
|
|
|
|
|
|
|
|
The project is licensed under the terms of the Apache License Version 2.0. See
|
|
|
|
LICENSE.txt for details.
|
|
|
|
|
|
|
|
## Features
|
|
|
|
|
|
|
|
The responder supports either openssl ca's
|
|
|
|
[index.txt](https://pki-tutorial.readthedocs.io/en/latest/cadb.html) files or
|
|
|
|
DER encoded CRL files.
|
|
|
|
|
|
|
|
Certificates not listed in index.txt files will be answered as `unknown` if
|
|
|
|
openssl index.txt files are used.
|
|
|
|
|
|
|
|
Certificates not recorded in CRLs are answered as `good` if CRLs are used.
|
|
|
|
|
|
|
|
The responder supports multiple CA certificates. The responder supports
|
|
|
|
multiple OCSP signing certificates
|
|
|
|
|
|
|
|
Responses are signed and contain the signing certificate.
|
|
|
|
|
|
|
|
## Configuration format
|
|
|
|
|
|
|
|
The responder is configured using a YAML configuration file `config.yaml` in
|
|
|
|
the working directory or specified via the `-configFile` command line
|
|
|
|
parameter.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
---
|
|
|
|
issuers:
|
|
|
|
- caCertificate: ca1/rootCA.pem
|
|
|
|
responderCertificate: ca1/resp.crt.pem
|
|
|
|
responderKey: ca1/resp.key.pem
|
|
|
|
certificateList: ca1/index.txt
|
|
|
|
- caCertificate: ca2/rootCA.pem
|
|
|
|
responderCertificate: ca2/resp.crt.pem
|
|
|
|
responderKey: ca2/resp.key.pem
|
|
|
|
certificateList: ca2/index.txt
|
|
|
|
```
|
|
|
|
|
|
|
|
The source code repository contains examples for both certificate database
|
|
|
|
modes in the [docs/](docs/) directory.
|
|
|
|
|
|
|
|
Supported configuration keys are:
|
|
|
|
|
|
|
|
* `issuer`: a list of supported issuer CAs with the following sub keys:
|
|
|
|
|
|
|
|
* `caCertificate`: the PEM encoded X.509 CA certificate
|
|
|
|
* `responderCertificate`: the PEM encoded OCSP responder certificate
|
|
|
|
* `responderKey`: the PEM encoded OCSP responder private key. The key must be in PKCS#8 or PKCS#1 format
|
|
|
|
* `certificateList`: an openssl ca formatted `index.txt` containing the certificate status of issued certificates
|
|
|
|
|
|
|
|
All file names may either be given as absolute paths or paths relative to the working directory. The file specified in
|
|
|
|
`certificateList` is watched for changes. The certificate database is automatically reloaded when a change is detected.
|
|
|
|
|
|
|
|
# Command line parameters
|
|
|
|
|
|
|
|
The responder supports a command line parameter `-serverAddr` that allows the specification of the listening port
|
|
|
|
and address. The default for `-serverAddr` is `:8080`.
|
|
|
|
|
|
|
|
# The Debian packages
|
|
|
|
|
|
|
|
The Debian packages install the example configuration files in
|
|
|
|
`/usr/share/doc/cacert-goocsp/examples/`. The packages come with a systemd
|
|
|
|
service unit and create a system user `cacert-goocsp`. You need to create
|
|
|
|
`/etc/goocsp/config.yaml` and run `systemctl enable cacert-goocsp.service` and
|
|
|
|
`systemctl start cacert-goocsp.service` to run the OCSP responder.
|
|
|
|
|
|
|
|
The recommended directory for the certificate status database files is
|
|
|
|
`/var/lib/goocsp`. This directory is created by the postinst script in the
|
|
|
|
Debian package.
|
|
|
|
|
|
|
|
The files specified in the configuration file must be readable by the
|
|
|
|
cacert-goocsp user.
|
|
|
|
|