"Dr. Stephen Henson" <[EMAIL PROTECTED]> a écrit :
On Wed, Jun 01, 2005, Julien VEHENT wrote:Hi all, I'm having an OCSP Responder on my CA and i want to use it in order to generate CRL's on others servers. So the idea is: +-----+ | CA &|<====ocsp request====(1)===+-----------+>>(3)> |ocsp |...........................|openvpn srv|......(CRL GENERATION) +-----+=====ocsp response===(2)==>+-----------+<<(4)</ and with the ocsp response i want to generate a CRL. For the ocsp resquest, i'm using the openssl toolkit with a cron. But i have several problems: _How can i request all certificates managed by my CA in one ocsp request ? (i don't want to copy all of these signed certificates on all of my openvpn servers) _How can i encode the response in PEM format in order to use it with OpenVPN ? I really want to use the OCSP protocol for several reason (including security consideration) so publication through HTTP protocol is not a good solution for me. Could you help me ?... :)OCSP can't really be used that way unless you include the serial numbers of *all* that CAs certificates in the request. That could result in a very large request and responder overhead. What is your problem with HTTP? A CRL is digitally signed so it can't be tampered with.
I don't want to use HTTP just because web server are to much attacked. Moreover, OCSP is very interesting for the student that i am :) OK so if i use a "boring script" which request 100 serial in one line, what is the correct syntax to generate a CRL using the OpenSSL OCSP request ? I've tried to use the -respout argument and a crl conversion (with openssl crl -inform DER [...] -outform PEM [...] ) but it doesn't work... the error message is : unable to load CRL And the openssl ocsp --help doesn't speak about CRL generation...... Thank you very much for your answers :) ------------------------------------------------------------------ J. VEHENT Student in Computer Security [EMAIL PROTECTED] ------------------------------------------------------------------ Microgate | 02.47.66.95.01 | www.microgate.fr
pgpgNqAsVH9QJ.pgp
Description: Signature =?iso-8859-1?b?bnVt6XJpcXVl?= PGP
bin1fMKTnvwJz.bin
Description: Clef publique PGP