# OCSP responder for CAcert This project aims to provide an OCSP responder implementation for CAcert. ## License The project is licensed under the terms of the Apache License Version 2.0. See LICENSE.txt for details. ## Features The responder supports either openssl ca's [index.txt](https://pki-tutorial.readthedocs.io/en/latest/cadb.html) files or DER encoded CRL files. Certificates not listed in index.txt files will be answered as `unknown` if openssl index.txt files are used. Certificates not recorded in CRLs are answered as `good` if CRLs are used. The responder supports multiple CA certificates. The responder supports multiple OCSP signing certificates Responses are signed and contain the signing certificate. ## Configuration format The responder is configured using a YAML configuration file `config.yaml` in the working directory or specified via the `-configFile` command line parameter. Example: ```yaml --- issuers: - caCertificate: ca1/rootCA.pem responderCertificate: ca1/resp.crt.pem responderKey: ca1/resp.key.pem certificateList: ca1/index.txt - caCertificate: ca2/rootCA.pem responderCertificate: ca2/resp.crt.pem responderKey: ca2/resp.key.pem certificateList: ca2/index.txt ``` The source code repository contains examples for both certificate database modes in the [docs/](docs/) directory. Supported configuration keys are: * `issuer`: a list of supported issuer CAs with the following sub keys: * `caCertificate`: the PEM encoded X.509 CA certificate * `responderCertificate`: the PEM encoded OCSP responder certificate * `responderKey`: the PEM encoded OCSP responder private key. The key must be in PKCS#8 or PKCS#1 format * `certificateList`: an openssl ca formatted `index.txt` containing the certificate status of issued certificates All file names may either be given as absolute paths or paths relative to the working directory. The file specified in `certificateList` is watched for changes. The certificate database is automatically reloaded when a change is detected. # Command line parameters The responder supports a command line parameter `-serverAddr` that allows the specification of the listening port and address. The default for `-serverAddr` is `:8080`. # The Debian packages The Debian packages install the example configuration files in `/usr/share/doc/cacert-goocsp/examples/`. The packages come with a systemd service unit and create a system user `cacert-goocsp`. You need to create `/etc/goocsp/config.yaml` and run `systemctl enable cacert-goocsp.service` and `systemctl start cacert-goocsp.service` to run the OCSP responder. The recommended directory for the certificate status database files is `/var/lib/goocsp`. This directory is created by the postinst script in the Debian package. The files specified in the configuration file must be readable by the cacert-goocsp user.