2 KiB
OCSP responder for CAcert
This project aims to provide an OCSP responder implementation for CAcert.
License
The project is licensed under the terms of the Apache License Version 2.0. See LICENSE.txt for details.
Requirements
- the sources for OCSP answers should be files in openssl ca's index.txt format as documented in https://pki-tutorial.readthedocs.io/en/latest/cadb.html
- certificates that are not listed in those files will be answered as
unknown
- the responder must support multiple CA certificates
- the responder must support multiple OCSP signing certificates
- responses must be signed
- responses must contain the signing certificate
Configuration format
The responder is configured using a YAML configuration file config.yaml
in the working directory.
Example:
---
issuers:
- caCertificate: ca1/rootCA.pem
responderCertificate: ca1/resp.crt.pem
responderKey: ca1/resp.key.pem
certificateList: ca1/index.txt
- caCertificate: ca2/rootCA.pem
responderCertificate: ca2/resp.crt.pem
responderKey: ca2/resp.key.pem
certificateList: ca2/index.txt
Supported configuration keys are:
-
issuer
: a list of supported issuer CAs with the following sub keys:caCertificate
: the PEM encoded X.509 CA certificateresponderCertificate
: the PEM encoded OCSP responder certificateresponderKey
: the PEM encoded OCSP responder private key. The key must be in PKCS#8 or PKCS#1 formatcertificateList
: an openssl ca formattedindex.txt
containing the certificate status of issued certificates
All file names may either be given as absolute paths or paths relative to the working directory. The file specified in
certificateList
is watched for changes. The certificate database is automatically reloaded when a change is detected.
Command line parameters
The responder supports a command line parameter -serverAddr
that allows the specification of the listening port
and address. The default for -serverAddr
is :8080
.