2.9 KiB
OCSP Server
OCSP Server is a minimal implementation of both an OCSP and CRL server in Golang, using a CRL as the source for both interfaces. Originally created by Florian Bauer and now adapted for Spacebar. A single instance can serve any number of CAs (e.g. a root CA and several intermediates).
Configuration
Point the server at a single directory that contains one subdirectory per CA. The subdirectory name is used as the route prefix.
cas/
├── root/
│ ├── ca.crt
│ ├── responder.crt
│ ├── key.pem
│ └── crl.pem
├── hr/
│ ├── ca.crt
│ ├── responder.crt
│ ├── key.pem
│ └── crl.pem
└── it/
├── ca.crt
├── responder.crt
├── key.pem
└── crl.pem
Each CA subdirectory must contain:
| File | Description |
|---|---|
ca.crt |
The CA certificate (PEM) |
responder.crt |
The OCSP responder certificate with extendedKeyUsage = OCSPSigning |
key.pem |
The private key for the responder certificate (PEM) |
crl.pem |
The current CRL issued by the CA (PEM or DER) |
Run the server with:
ocspcrl --cas-directory /path/to/cas
Endpoints
For every CA subdirectory <route-prefix>, the following endpoints are exposed:
| Endpoint | Content-Type | Description |
|---|---|---|
<route-prefix>/ocsp |
(OCSP) | OCSP responder supporting both GET and POST requests |
<route-prefix>/ocsp/ |
(OCSP) | OCSP responder supporting both GET and POST requests |
<route-prefix>/crl |
application/pkix-cert |
CRL in DER form |
<route-prefix>/crl.pem |
application/pkix-crl |
CRL in PEM form |
<route-prefix>/ca |
application/pkix-cert |
CA certificate in DER form |
<route-prefix>/ca.pem |
application/x-x509-ca-cert |
CA certificate in PEM form |
For example, with the layout above, the OCSP endpoint for the hr intermediate is https://<host>/hr/ocsp and its CRL is at https://<host>/hr/crl.pem.
Reloading the CRLs
Synchronization of the CAs' CRLs is out of scope of this project. You can use any mechanism to update the CRL files. Notify the ocspcrl server process via SIGHUP to reload every CA's CRL from disk.