OCSP responder for CAcert
This project aims to provide an OCSP responder implementation for CAcert.
The project is licensed under the terms of the Apache License Version 2.0. See LICENSE.txt for details.
The responder supports either openssl ca's index.txt files or DER encoded CRL files.
Certificates not listed in index.txt files will be answered as
openssl index.txt files are used.
Certificates not recorded in CRLs are answered as
good if CRLs are used.
The responder supports multiple CA certificates. The responder supports multiple OCSP signing certificates
Responses are signed and contain the signing certificate.
The responder is configured using a YAML configuration file
the working directory or specified via the
-configFile command line
--- issuers: - caCertificate: ca1/rootCA.pem responderCertificate: ca1/resp.crt.pem responderKey: ca1/resp.key.pem certificateList: ca1/index.txt - caCertificate: ca2/rootCA.pem responderCertificate: ca2/resp.crt.pem responderKey: ca2/resp.key.pem certificateList: ca2/index.txt
The source code repository contains examples for both certificate database modes in the docs/ directory.
Supported configuration keys are:
issuer: a list of supported issuer CAs with the following sub keys:
caCertificate: the PEM encoded X.509 CA certificate
responderCertificate: the PEM encoded OCSP responder certificate
responderKey: the PEM encoded OCSP responder private key. The key must be in PKCS#8 or PKCS#1 format
certificateList: an openssl ca formatted
index.txtcontaining the certificate status of issued certificates
All file names may either be given as absolute paths or paths relative to the working directory. The file specified in
certificateList is watched for changes. The certificate database is automatically reloaded when a change is detected.
Command line parameters
The responder supports a command line parameter
-serverAddr that allows the specification of the listening port
and address. The default for
The Debian packages
The Debian packages install the example configuration files in
/usr/share/doc/cacert-goocsp/examples/. The packages come with a systemd
service unit and create a system user
cacert-goocsp. You need to create
/etc/goocsp/config.yaml and run
systemctl enable cacert-goocsp.service and
systemctl start cacert-goocsp.service to run the OCSP responder.
The recommended directory for the certificate status database files is
/var/lib/goocsp. This directory is created by the postinst script in the
The files specified in the configuration file must be readable by the cacert-goocsp user.