Hi there, One thing that, I think, the OCSP man page makes very clear is that the OCSP server implementation is to be used for testing only, and not to be used for any sort of "real-life" scenario. To get real-time updating based on changes in the index.txt file from the CA, you'd have to write your own OCSP server implementation. Other things that you have noticed (lack of concurrency, etc.) are also only achievable if you write your own server.
In short - the behaviour that you are seeing is exactly as is to be expected from a tool that exists only for testing purposes. Have fun. Patrick. On 2013-07-18, at 12:19 PM, redpath wrote: > I am testing some simple scenarios for the OSCP server. > I have to stop and start the Server to know I revoked a cert. > Here is my scenario. > > *I start the OSCP server* > > ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt -rkey > ocspsign.key -CA ./demoCA/cacert.pem -text > > > *I check a cert* > openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url > http://127.0.0.1:8082 -CAfile cacert.pem > > *and its GOOD* > > *Then from a terminal I revoke a certificate* > > openssl ca -revoke ./demoCA/newcerts/1009.pem > > Using configuration from /usr/ssl/openssl.cnf > Enter pass phrase for ./demoCA/private/cakey.pem: > Revoking Certificate 1009. > Data Base Updated > > *I check it again* > > openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url > http://127.0.0.1:8082 -CAfile cacert.pem > Response verify OK > 0x1009: good > This Update: Jul 18 16:13:02 2013 GMT > > *Not correct, it is revoked I looked at the index.txt. I stop and start the > OSCP server again* > > *I check again* > > openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url > http://127.0.0.1:8082 -CAfile cacert.pem > Response verify OK > 0x1009: revoked > This Update: Jul 18 16:13:34 2013 GMT > Revocation Time: Jul 18 16:12:18 2013 GMT > > *And results are expected REVOKED.* > *So what is the best practice to get the OSCP server to update?* > > > > > > -- > View this message in context: > http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-tp45877.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
