On Wed, Jun 01, 2005, Julien VEHENT wrote: > Hi all, > > I'm having an OCSP Responder on my CA and i want to use it in order to > generate > CRL's on others servers. > > So the idea is: > > +-----+ > | CA &|<====ocsp request====(1)===+-----------+>>(3)>\ > |ocsp |...........................|openvpn srv|......(CRL GENERATION) > +-----+=====ocsp response===(2)==>+-----------+<<(4)</ > > and with the ocsp response i want to generate a CRL. > > For the ocsp resquest, i'm using the openssl toolkit with a cron. But i have > several problems: > > _How can i request all certificates managed by my CA in one ocsp request ? > (i don't want to copy all of these signed certificates on all of my openvpn > servers) > > _How can i encode the response in PEM format in order to use it with OpenVPN ? > > I really want to use the OCSP protocol for several reason (including security > consideration) so publication through HTTP protocol is not a good solution for > me. > > > Could you help me ?... :)
OCSP can't really be used that way unless you include the serial numbers of *all* that CAs certificates in the request. That could result in a very large request and responder overhead. What is your problem with HTTP? A CRL is digitally signed so it can't be tampered with. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
