Hi,
you could run the OCSP responder coming with the strongSwan pki tool
https://docs.strongswan.org/docs/5.9/pki/pkiOcsp.html
used by the following ocsp.sgi script:
#!/bin/bash
cd /etc/openxpki/tls
echo "Content-type: application/ocsp-response"
echo ""
cat | pki --ocsp --respond --lifetime 10 --debug 0 \
--cacert chain/cacert.pem --cert ocsp/cert.pem --key ocsp/key.pem
strongSwan version 5.9.12 or newer is required. The pki tool is based on the
libstrongswan library and needs the openxpki plugin
https://docs.strongswan.org/docs/5.9/plugins/openxpki.html
plus the mysql plugin in order to directly access the OpenXPKI MariaDB database.
I could make strongSwan 5.9.14 binaries for Debian 12 available as a tarball
if you don't want to build them yourself.
The Apache2 configuration file ocsp.conf
AddHandler cgi-script .cgi
<VirtualHost *:80>
ServerName ocsp.example.com
DocumentRoot /var/www
ScriptAlias / /usr/lib/cgi-bin/ocsp.cgi
ErrorLog /var/log/apache2/ocsp/error_log
CustomLog /var/log/apache2/ocsp/access_log combined
</VirtualHost>
<Directory "/usr/lib/cgi-bin/">
AllowOverride None
Options +ExecCGI
Order allow,deny
Allow from all
Require all granted
</Directory>
makes the OCSP server http://ocsp.example.com co-located on the
OpenXPKI server listen on HTTP port 80 for OCSP requests.
Kind regards
Andreas
On 14.08.24 12:19, Martin Bartosch via OpenXPKI-users wrote:
Hi,
Can someone help me or tell me which OCSP I can take. I read that one of EJBCA
took it.
You can use any OCSP responder that either reads a standard CRL or accesses the
OpenXPKI database.
Personally I tried the EJBCA OCSP responder some time ago and I am not too fond
of it. It's a huge, sluggish and resource-hungry beast.
For OpenXPKI Enterprise Edition we offer an extremely efficient and blazingly
fast OCSP responder that accesses the OpenXPKI database and which also can be
easily operated distributed. However, this is not available for the Community
Edition.
Does anyone have an idea? And what is the easiest way to get the CRL list
exported without accessing the WebGui.
Configure the CRL publishing connector as required. The default configuration
already writes the CRL to the file system, so you can simply use that. Automate
CRL issuance by invoking the crl_issuance workflow for the desired realm via
openxpkicmd crl_issuance --realm REALM
Cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
======================================================================
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
======================================================================
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
