Re: [Openca-Users] OCSP

[<nic...@ly...>]

Hi Massimiliano,

i'd like to enter OpenCA-Heaven too, if I may? ;-)

So far everything I made was quite o.k., but what do I have to use 
regarding ocspd.conf?
My comments I marked with beginning ***

snip
*** my $PREFIX is RA
dir              = /RA/etc/ocspd                # Where everything is kept
*** do I have to generate the index.txt file and if yes, what does it have 
to contain?
*** I assumed it is automaticaly generated
db               = $dir/index.txt               # database index file.
md               = sha1
*** guess public CA-cert, public ocspd-cert with OCSPSigning (see pls next 
snipp...snap)
ca_certificate    = $dir/certs/cacert.pem       # The CA certificate
ocspd_certificate = $dir/certs/ocspd_cert.pem   # The OCSP server cert
ocspd_key         = $dir/private/ocspd_key.pem  # The OCSP server key
pidfile           = $dir/ocspd.pid              # Main process pid
*** created corresponding user and group
user                    = ocspd
group                   = daemon
bind                    = *
port                    = 2560
max_childs_num          = 5
clients_per_server      = 100                   # Not used
max_req_size            = 8192
request          = ocsp_req             # Default OCSP request section
response         = ocsp_response        # Default OCSP response section
####################################################################
[ ocsp_req ]
*** do I have to generate this key or will it be generated automaticaly
*** I assumed it contains the key of the requester or the request itself?
default_keyfile         = key.pem
####################################################################
[ ocsp_response ]
dir                     = /RA/etc/ocspd
*** don't understand this one ???
ocsp_add_response_certs = $dir/certs/chain_certs.pem
ocsp_add_response_keyid = yes
next_update_days        = 0
next_update_mins        = 5
snap

snip
basicConstraints=CA:FALSE
# For an object signing certificate this would be used.
*** do I better uncomment this
#nsCertType = objsign
*** do I have to activate nsCertType
nsCertType = server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, 
dataEncipherment
*** copied the $PREFIX/OpenCA/etc/openssl/Web_Server.ext to 
OCSPResponder.ext and added OCSPSigning to extendedKeyUsage
*** do I have to remove serverAuth??? 
extendedKeyUsage = serverAuth, OCSPSigning
nsComment               = "WWW-Server of Lynx-Consulting AG"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName=${ENV::subjectAltName}
issuerAltName=issuer:copy
nsCaRevocationUrl       = http://ra.lynx.de/pub/crl/cacrl.crl
nsRevocationUrl         = http://ra.lynx.de/pub/crl/cacrl.crl
crlDistributionPoints   = URI:http://ra.lynx.de/pub/crl/cacrl.crl
snap

Do I have to start $PREFIX/etc/init.d/rcd.ocspd manually or via inetd?
I had to alter $PREFIX/etc/init.d/rcd.ocspd and make it executable because there were no function directory! Is that o.k.?
snip
# Source function library.
#. /etc/rc.d/init.d/functions
snap

When I am starting $PREFIX/etc/init.d/rcd.ocspd manually I get:
Starting OCSP Responder: ./rcd.ocspd: line 45: 13095 Segmentation fault  
$ocspd -c $conf -v -d 
Done.  

Best Thanks

cu2

Nick