cacert
/
goocsp
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 3 Wiki Activity
OCSP responder written in Go
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
26 Commits
1 Branch
3 Tags
171 KiB
Go 100%
 
main
0.2.0
0.1.0
0.2.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '60430c9720'
${ noResults }
Go to file
Jan Dittberner 60430c9720 Include changelog.md in Debian packages 2 years ago
cmd/cacertocsp Make loglevel configurable 2 years ago
docs Add systemd service, support dynamic configuration 2 years ago
pkg Fix concurrent map access 2 years ago
.gitignore Add goreleaser configuration 3 years ago
.golangci.yml Fix golangci-lint warnings 2 years ago
.goreleaser.yml Include changelog.md in Debian packages 2 years ago
LICENSE.txt Add license and inline documentation 3 years ago
README.md Add license and inline documentation 3 years ago
changelog.md Include changelog.md in Debian packages 2 years ago
go.mod Change module name to code.cacert.org/cacert/goocsp 2 years ago
go.sum Add test, include extensions support 2 years ago

README.md

OCSP responder for CAcert

This project aims to provide an OCSP responder implementation for CAcert.

License

The project is licensed under the terms of the Apache License Version 2.0. See LICENSE.txt for details.

Requirements

  • the sources for OCSP answers should be files in openssl ca's index.txt format as documented in https://pki-tutorial.readthedocs.io/en/latest/cadb.html
  • certificates that are not listed in those files will be answered as unknown
  • the responder must support multiple CA certificates
  • the responder must support multiple OCSP signing certificates
  • responses must be signed
  • responses must contain the signing certificate

Configuration format

The responder is configured using a YAML configuration file config.yaml in the working directory.

Example:

---
issuers:
  - caCertificate: ca1/rootCA.pem
    responderCertificate: ca1/resp.crt.pem
    responderKey: ca1/resp.key.pem
    certificateList: ca1/index.txt
  - caCertificate: ca2/rootCA.pem
    responderCertificate: ca2/resp.crt.pem
    responderKey: ca2/resp.key.pem
    certificateList: ca2/index.txt

Supported configuration keys are:

  • issuer: a list of supported issuer CAs with the following sub keys:

    • caCertificate: the PEM encoded X.509 CA certificate
    • responderCertificate: the PEM encoded OCSP responder certificate
    • responderKey: the PEM encoded OCSP responder private key. The key must be in PKCS#8 or PKCS#1 format
    • certificateList: an openssl ca formatted index.txt containing the certificate status of issued certificates

All file names may either be given as absolute paths or paths relative to the working directory. The file specified in certificateList is watched for changes. The certificate database is automatically reloaded when a change is detected.

Command line parameters

The responder supports a command line parameter -serverAddr that allows the specification of the listening port and address. The default for -serverAddr is :8080.