goocsp/README.md

# OCSP responder for CAcert

This project aims to provide an OCSP responder implementation for CAcert.

## License

The project is licensed under the terms of the Apache License Version 2.0. See
LICENSE.txt for details.

## Requirements

* the sources for OCSP answers should be files in openssl ca's index.txt format as documented
  in https://pki-tutorial.readthedocs.io/en/latest/cadb.html
* certificates that are not listed in those files will be answered as `unknown`
* the responder must support multiple CA certificates
* the responder must support multiple OCSP signing certificates
* responses must be signed
* responses must contain the signing certificate

## Configuration format

The responder is configured using a YAML configuration file `config.yaml` in the working directory.

Example:

```yaml
---
issuers:
  - caCertificate: ca1/rootCA.pem
    responderCertificate: ca1/resp.crt.pem
    responderKey: ca1/resp.key.pem
    certificateList: ca1/index.txt
  - caCertificate: ca2/rootCA.pem
    responderCertificate: ca2/resp.crt.pem
    responderKey: ca2/resp.key.pem
    certificateList: ca2/index.txt
```

Supported configuration keys are:

* `issuer`: a list of supported issuer CAs with the following sub keys:

  * `caCertificate`: the PEM encoded X.509 CA certificate
  * `responderCertificate`: the PEM encoded OCSP responder certificate
  * `responderKey`: the PEM encoded OCSP responder private key. The key must be in PKCS#8 or PKCS#1 format
  * `certificateList`: an openssl ca formatted `index.txt` containing the certificate status of issued certificates

All file names may either be given as absolute paths or paths relative to the working directory. The file specified in
`certificateList` is watched for changes. The certificate database is automatically reloaded when a change is detected.

# Command line parameters

The responder supports a command line parameter `-serverAddr` that allows the specification of the listening port
and address. The default for `-serverAddr` is `:8080`.
Initial project setup - add go.mod and README 2022-03-06 08:57:04 +00:00			`# OCSP responder for CAcert`

			`This project aims to provide an OCSP responder implementation for CAcert.`

Add license and inline documentation 2022-03-06 15:51:09 +00:00			`## License`

			`The project is licensed under the terms of the Apache License Version 2.0. See`
			`LICENSE.txt for details.`

Initial project setup - add go.mod and README 2022-03-06 08:57:04 +00:00			`## Requirements`

Implement graceful shutdown and reload 2022-03-06 15:18:04 +00:00			`* the sources for OCSP answers should be files in openssl ca's index.txt format as documented`
			`in https://pki-tutorial.readthedocs.io/en/latest/cadb.html`
Initial project setup - add go.mod and README 2022-03-06 08:57:04 +00:00			* certificates that are not listed in those files will be answered as `unknown`
			`* the responder must support multiple CA certificates`
			`* the responder must support multiple OCSP signing certificates`
			`* responses must be signed`
			`* responses must contain the signing certificate`
Implement graceful shutdown and reload 2022-03-06 15:18:04 +00:00
			`## Configuration format`

			The responder is configured using a YAML configuration file `config.yaml` in the working directory.

			`Example:`

			```yaml
			`---`
			`issuers:`
			`- caCertificate: ca1/rootCA.pem`
			`responderCertificate: ca1/resp.crt.pem`
			`responderKey: ca1/resp.key.pem`
			`certificateList: ca1/index.txt`
			`- caCertificate: ca2/rootCA.pem`
			`responderCertificate: ca2/resp.crt.pem`
			`responderKey: ca2/resp.key.pem`
			`certificateList: ca2/index.txt`
			```

			`Supported configuration keys are:`

			* `issuer`: a list of supported issuer CAs with the following sub keys:

			* `caCertificate`: the PEM encoded X.509 CA certificate
			* `responderCertificate`: the PEM encoded OCSP responder certificate
			* `responderKey`: the PEM encoded OCSP responder private key. The key must be in PKCS#8 or PKCS#1 format
			* `certificateList`: an openssl ca formatted `index.txt` containing the certificate status of issued certificates

			`All file names may either be given as absolute paths or paths relative to the working directory. The file specified in`
			`certificateList` is watched for changes. The certificate database is automatically reloaded when a change is detected.

			`# Command line parameters`

			The responder supports a command line parameter `-serverAddr` that allows the specification of the listening port
			and address. The default for `-serverAddr` is `:8080`.