Now, there's an issue that has not been covered (or I haven't seen it).
I'm trying to start the ocspd responder with the script and also using comand line as shown in manpages... and got no response, it just quits after launching it gettting no log at /var/log/messages...
It seems that there are no user conflicts, I mean, user has permission to write and read where the certificates,pid file, crl's and keys are kept.
I've seen some related mails but never ended up with the clue for solving it... It seems to be something similar to this thread : http://sourceforge.net/mailarchive/message.php?msg_id=35611620
config file used is the following:
[ ocspd ]
default_ocspd = OCSPD_default # The default ocspd section
####################################################################
[ OCSPD_default ]
dir = /usr/local/etc/ocspd # Where everything is kept
#db = $dir/index.txt # database index file.
md = sha1
ca_certificate = $dir/certs/ca.pem # The CA certificate
ocspd_certificate = $dir/certs/ocspd_cert.pem # The OCSP server cert
ocspd_key = $dir/private/ocspd_key.pem # The OCSP server key
pidfile = $dir/ocspd.pid # Main process pid
# User and Group the server will run as. It is a good idea
# not having servers running as root: in case of errors in
# the code providing an 'illegal' access method for an attacker
# it is better not to give him additional advantages.
user = root
group = staff
# Bind to a specific address. This option is useful if you need
# to listen only on one IP among the availables ones.
bind = *
# Port where the server will listen for incoming requests.
port = 2560
# Max size of accepted requests. Data connection will be closed
# in case this size will be reached.
max_req_size = 8192
# Auto Reload interval of CRL (if set to 0 or not present, to
# reload the CRL you'll need to send a SIGHUP (kill -1
# to the parent process (seconds)
crl_auto_reload = 3600
# Check CRL validity period. If this parameter is set to #n
# then the CRL is checked every #n secs and if the CRL's validity
# period is expired then all the responses will be set to
# 'unknown'.
# If 'crl_check_validity' is set to '0' or it is absent, all
# responses will be based on the loaded CRL, no matter if it
# is expired or not.
crl_check_validity = 600
# Reload CRL if the one loaded is expired. Set this parameter
# only if you are sure that the new CRL will be issued and put
# in the crl_url.
crl_reload_expired = yes
# Specifies the response section to load the server options
# from
response = ocsp_response
# It specifies the section to be used where options about where
# CRL and certificates are kept.
# Example section using FILES for data retrival
dbms = dbms_file
####################################################################
[ ocsp_response ]
# Set this option if you want to include the KeyID. If you are
# unsure about this setting, use 'yes'.
ocsp_add_response_keyid = yes
# next_update_days and next_update_mins allows to specify in
# each response when new revocation data will be available.
# If the two options are both set to '0' the 'nextUpdate' field
# in the OCSP response will be left NULL indicating new data
# can be made available anytime (this is true if you are issuing
# new CRLs every time a revocation takes place)
#
# NOTE: Firefox/Mozilla do not parse correctly the OCSP answer in
# case the nextUpdate field is missing. It is therefore suggested
# to use the next_update_mins set (e.g. 5 minutes) to have mozilla's
# software correclty work with OCSP enabled.
next_update_days = 0
next_update_mins = 5
####################################################################
[ dbms_file ]
# We can have as many CAs supported as we want, each CRL will be
# loaded and stored upon server starting
0.ca = @first_ca
####################################################################
[ first_ca ]
# You can have the CRL on a simple file in PEM format
crl_url = file:///usr/local/etc/ocspd/certs/cacrl.pem
# We need the CA certificate for every supported CRL
ca_url = file:///usr/local/etc/ocspd/certs/ca.pem
thank you for your time, hope not being annoying anyone with this simple question.
see you.
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
