|
|
|
|
@ -7,19 +7,27 @@ This project aims to provide an OCSP responder implementation for CAcert.
|
|
|
|
|
The project is licensed under the terms of the Apache License Version 2.0. See
|
|
|
|
|
LICENSE.txt for details.
|
|
|
|
|
|
|
|
|
|
## Requirements
|
|
|
|
|
## Features
|
|
|
|
|
|
|
|
|
|
* the sources for OCSP answers should be files in openssl ca's index.txt format as documented
|
|
|
|
|
in https://pki-tutorial.readthedocs.io/en/latest/cadb.html
|
|
|
|
|
* certificates that are not listed in those files will be answered as `unknown`
|
|
|
|
|
* the responder must support multiple CA certificates
|
|
|
|
|
* the responder must support multiple OCSP signing certificates
|
|
|
|
|
* responses must be signed
|
|
|
|
|
* responses must contain the signing certificate
|
|
|
|
|
The responder supports either openssl ca's
|
|
|
|
|
[index.txt](https://pki-tutorial.readthedocs.io/en/latest/cadb.html) files or
|
|
|
|
|
DER encoded CRL files.
|
|
|
|
|
|
|
|
|
|
Certificates not listed in index.txt files will be answered as `unknown` if
|
|
|
|
|
openssl index.txt files are used.
|
|
|
|
|
|
|
|
|
|
Certificates not recorded in CRLs are answered as `good` if CRLs are used.
|
|
|
|
|
|
|
|
|
|
The responder supports multiple CA certificates. The responder supports
|
|
|
|
|
multiple OCSP signing certificates
|
|
|
|
|
|
|
|
|
|
Responses are signed and contain the signing certificate.
|
|
|
|
|
|
|
|
|
|
## Configuration format
|
|
|
|
|
|
|
|
|
|
The responder is configured using a YAML configuration file `config.yaml` in the working directory.
|
|
|
|
|
The responder is configured using a YAML configuration file `config.yaml` in
|
|
|
|
|
the working directory or specified via the `-configFile` command line
|
|
|
|
|
parameter.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
@ -36,6 +44,9 @@ issuers:
|
|
|
|
|
certificateList: ca2/index.txt
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
The source code repository contains examples for both certificate database
|
|
|
|
|
modes in the [docs/](docs/) directory.
|
|
|
|
|
|
|
|
|
|
Supported configuration keys are:
|
|
|
|
|
|
|
|
|
|
* `issuer`: a list of supported issuer CAs with the following sub keys:
|
|
|
|
|
@ -52,3 +63,19 @@ All file names may either be given as absolute paths or paths relative to the wo
|
|
|
|
|
|
|
|
|
|
The responder supports a command line parameter `-serverAddr` that allows the specification of the listening port
|
|
|
|
|
and address. The default for `-serverAddr` is `:8080`.
|
|
|
|
|
|
|
|
|
|
# The Debian packages
|
|
|
|
|
|
|
|
|
|
The Debian packages install the example configuration files in
|
|
|
|
|
`/usr/share/doc/cacert-goocsp/examples/`. The packages come with a systemd
|
|
|
|
|
service unit and create a system user `cacert-goocsp`. You need to create
|
|
|
|
|
`/etc/goocsp/config.yaml` and run `systemctl enable cacert-goocsp.service` and
|
|
|
|
|
`systemctl start cacert-goocsp.service` to run the OCSP responder.
|
|
|
|
|
|
|
|
|
|
The recommended directory for the certificate status database files is
|
|
|
|
|
`/var/lib/goocsp`. This directory is created by the postinst script in the
|
|
|
|
|
Debian package.
|
|
|
|
|
|
|
|
|
|
The files specified in the configuration file must be readable by the
|
|
|
|
|
cacert-goocsp user.
|
|
|
|
|
|
|
|
|
|
|
