Hey Steffen, Thank you for the helpful tip. Can you send me a tarball. It would be the easiest option.
Andreas Steffen <andreas.stef...@strongswan.org> schrieb am Sa. 17. Aug. 2024 um 15:02: > Hi, > > you could run the OCSP responder coming with the strongSwan pki tool > > https://docs.strongswan.org/docs/5.9/pki/pkiOcsp.html > > used by the following ocsp.sgi script: > > #!/bin/bash > > cd /etc/openxpki/tls > > echo "Content-type: application/ocsp-response" > echo "" > > cat | pki --ocsp --respond --lifetime 10 --debug 0 \ > --cacert chain/cacert.pem --cert ocsp/cert.pem --key > ocsp/key.pem > > strongSwan version 5.9.12 or newer is required. The pki tool is based on > the > libstrongswan library and needs the openxpki plugin > > https://docs.strongswan.org/docs/5.9/plugins/openxpki.html > > plus the mysql plugin in order to directly access the OpenXPKI MariaDB > database. > I could make strongSwan 5.9.14 binaries for Debian 12 available as a > tarball > if you don't want to build them yourself. > > The Apache2 configuration file ocsp.conf > > AddHandler cgi-script .cgi > > <VirtualHost *:80> > > ServerName ocsp.example.com > DocumentRoot /var/www > > ScriptAlias / /usr/lib/cgi-bin/ocsp.cgi > > ErrorLog /var/log/apache2/ocsp/error_log > CustomLog /var/log/apache2/ocsp/access_log combined > </VirtualHost> > > <Directory "/usr/lib/cgi-bin/"> > AllowOverride None > Options +ExecCGI > Order allow,deny > Allow from all > Require all granted > </Directory> > > makes the OCSP server http://ocsp.example.com co-located on the > OpenXPKI server listen on HTTP port 80 for OCSP requests. > > Kind regards > > Andreas > > On 14.08.24 12:19, Martin Bartosch via OpenXPKI-users wrote: > > Hi, > > > >> Can someone help me or tell me which OCSP I can take. I read that one > of EJBCA took it. > > > > You can use any OCSP responder that either reads a standard CRL or > accesses the OpenXPKI database. > > > > Personally I tried the EJBCA OCSP responder some time ago and I am not > too fond of it. It's a huge, sluggish and resource-hungry beast. > > > > For OpenXPKI Enterprise Edition we offer an extremely efficient and > blazingly fast OCSP responder that accesses the OpenXPKI database and which > also can be easily operated distributed. However, this is not available for > the Community Edition. > > > >> Does anyone have an idea? And what is the easiest way to get the CRL > list exported without accessing the WebGui. > > > > Configure the CRL publishing connector as required. The default > configuration already writes the CRL to the file system, so you can simply > use that. Automate CRL issuance by invoking the crl_issuance workflow for > the desired realm via > > > > openxpkicmd crl_issuance --realm REALM > > > > Cheers > > > > Martin > > > > > > > > _______________________________________________ > > OpenXPKI-users mailing list > > OpenXPKI-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > ====================================================================== > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Open Source VPN Solution! www.strongswan.org > strongSec GmbH, 8952 Schlieren (Switzerland) > ====================================================================== > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
