Hey there all, I'm using SSL as part of puppet, which has its own sort of CA.
Puppet has no idea about OCSP, but on the master, it leaves most of its configuration to the apache backend. Since apache won't re-read a CRL unless restarted, OCSP seemed like a good answer to this.
Puppet's CA doesn't generate a standard index.txt. What it *does* do is generate a standard CRL (which I suppose I can parse with the openssl crl command) as well as an inventory file that contains cert start and end dates, as well as serials and subjects.
I *think* this is enough information to effectively regenerate the OCSP index file, and thus answer CRL requests.
Rather than letting the openssl code manage sockets and tcp ports, I figured I'd write some basic perl code as glue, and let apache run an OCSP responder in a vhost, which would simply generate a signed response. The CGI would basically be a wrapper, as well as a tool to regenerate an index.txt if either the inventory or the CRL had changed.
This way, threading and the like aren't issues, and error-handling is more easily catchable.
Does any of this sound like a particularly awful idea? -Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
