Document actual features and Debian package

Jan Dittberner 1 year ago
parent 3c8e1e4d1f
commit 1a9c9f5947

@ -7,19 +7,27 @@ This project aims to provide an OCSP responder implementation for CAcert.
The project is licensed under the terms of the Apache License Version 2.0. See
LICENSE.txt for details.
## Requirements
## Features
* the sources for OCSP answers should be files in openssl ca's index.txt format as documented
* certificates that are not listed in those files will be answered as `unknown`
* the responder must support multiple CA certificates
* the responder must support multiple OCSP signing certificates
* responses must be signed
* responses must contain the signing certificate
The responder supports either openssl ca's
[index.txt]( files or
DER encoded CRL files.
Certificates not listed in index.txt files will be answered as `unknown` if
openssl index.txt files are used.
Certificates not recorded in CRLs are answered as `good` if CRLs are used.
The responder supports multiple CA certificates. The responder supports
multiple OCSP signing certificates
Responses are signed and contain the signing certificate.
## Configuration format
The responder is configured using a YAML configuration file `config.yaml` in the working directory.
The responder is configured using a YAML configuration file `config.yaml` in
the working directory or specified via the `-configFile` command line
@ -36,6 +44,9 @@ issuers:
certificateList: ca2/index.txt
The source code repository contains examples for both certificate database
modes in the [docs/](docs/) directory.
Supported configuration keys are:
* `issuer`: a list of supported issuer CAs with the following sub keys:
@ -52,3 +63,19 @@ All file names may either be given as absolute paths or paths relative to the wo
The responder supports a command line parameter `-serverAddr` that allows the specification of the listening port
and address. The default for `-serverAddr` is `:8080`.
# The Debian packages
The Debian packages install the example configuration files in
`/usr/share/doc/cacert-goocsp/examples/`. The packages come with a systemd
service unit and create a system user `cacert-goocsp`. You need to create
`/etc/goocsp/config.yaml` and run `systemctl enable cacert-goocsp.service` and
`systemctl start cacert-goocsp.service` to run the OCSP responder.
The recommended directory for the certificate status database files is
`/var/lib/goocsp`. This directory is created by the postinst script in the
Debian package.
The files specified in the configuration file must be readable by the
cacert-goocsp user.