# OCSP responder for CAcert

This project aims to provide an OCSP responder implementation for CAcert.

## License

The project is licensed under the terms of the Apache License Version 2.0. See
LICENSE.txt for details.

## Requirements

* the sources for OCSP answers should be files in openssl ca's index.txt format as documented
  in https://pki-tutorial.readthedocs.io/en/latest/cadb.html
* certificates that are not listed in those files will be answered as `unknown`
* the responder must support multiple CA certificates
* the responder must support multiple OCSP signing certificates
* responses must be signed
* responses must contain the signing certificate

## Configuration format

The responder is configured using a YAML configuration file `config.yaml` in the working directory.

Example:

```yaml
---
issuers:
  - caCertificate: ca1/rootCA.pem
    responderCertificate: ca1/resp.crt.pem
    responderKey: ca1/resp.key.pem
    certificateList: ca1/index.txt
  - caCertificate: ca2/rootCA.pem
    responderCertificate: ca2/resp.crt.pem
    responderKey: ca2/resp.key.pem
    certificateList: ca2/index.txt
```

Supported configuration keys are:

* `issuer`: a list of supported issuer CAs with the following sub keys:

  * `caCertificate`: the PEM encoded X.509 CA certificate
  * `responderCertificate`: the PEM encoded OCSP responder certificate
  * `responderKey`: the PEM encoded OCSP responder private key. The key must be in PKCS#8 or PKCS#1 format
  * `certificateList`: an openssl ca formatted `index.txt` containing the certificate status of issued certificates

All file names may either be given as absolute paths or paths relative to the working directory. The file specified in
`certificateList` is watched for changes. The certificate database is automatically reloaded when a change is detected.

# Command line parameters

The responder supports a command line parameter `-serverAddr` that allows the specification of the listening port
and address. The default for `-serverAddr` is `:8080`.