cacert
/
goocsp
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 3 Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
0.2.0
0.1.0
0.2.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f6089bac79'
${ noResults }
goocsp/README.md

55 lines
2.0 KiB
Markdown
Raw Blame History

# OCSP responder for CAcert
This project aims to provide an OCSP responder implementation for CAcert.
## License
The project is licensed under the terms of the Apache License Version 2.0. See
LICENSE.txt for details.
## Requirements
* the sources for OCSP answers should be files in openssl ca's index.txt format as documented
in https://pki-tutorial.readthedocs.io/en/latest/cadb.html
* certificates that are not listed in those files will be answered as `unknown`
* the responder must support multiple CA certificates
* the responder must support multiple OCSP signing certificates
* responses must be signed
* responses must contain the signing certificate
## Configuration format
The responder is configured using a YAML configuration file `config.yaml` in the working directory.
Example:
```yaml
---
issuers:
- caCertificate: ca1/rootCA.pem
responderCertificate: ca1/resp.crt.pem
responderKey: ca1/resp.key.pem
certificateList: ca1/index.txt
- caCertificate: ca2/rootCA.pem
responderCertificate: ca2/resp.crt.pem
responderKey: ca2/resp.key.pem
certificateList: ca2/index.txt
```
Supported configuration keys are:
* `issuer`: a list of supported issuer CAs with the following sub keys:
* `caCertificate`: the PEM encoded X.509 CA certificate
* `responderCertificate`: the PEM encoded OCSP responder certificate
* `responderKey`: the PEM encoded OCSP responder private key. The key must be in PKCS#8 or PKCS#1 format
* `certificateList`: an openssl ca formatted `index.txt` containing the certificate status of issued certificates
All file names may either be given as absolute paths or paths relative to the working directory. The file specified in
`certificateList` is watched for changes. The certificate database is automatically reloaded when a change is detected.
# Command line parameters
The responder supports a command line parameter `-serverAddr` that allows the specification of the listening port
and address. The default for `-serverAddr` is `:8080`.
Reference in New Issue View Git Blame Copy Permalink