From: <nic...@ly...> - 2003-05-26 15:19:51
|
Hi Massimiliano, i'd like to enter OpenCA-Heaven too, if I may? ;-) So far everything I made was quite o.k., but what do I have to use regarding ocspd.conf? My comments I marked with beginning *** snip *** my $PREFIX is RA dir = /RA/etc/ocspd # Where everything is kept *** do I have to generate the index.txt file and if yes, what does it have to contain? *** I assumed it is automaticaly generated db = $dir/index.txt # database index file. md = sha1 *** guess public CA-cert, public ocspd-cert with OCSPSigning (see pls next snipp...snap) ca_certificate = $dir/certs/cacert.pem # The CA certificate ocspd_certificate = $dir/certs/ocspd_cert.pem # The OCSP server cert ocspd_key = $dir/private/ocspd_key.pem # The OCSP server key pidfile = $dir/ocspd.pid # Main process pid *** created corresponding user and group user = ocspd group = daemon bind = * port = 2560 max_childs_num = 5 clients_per_server = 100 # Not used max_req_size = 8192 request = ocsp_req # Default OCSP request section response = ocsp_response # Default OCSP response section #################################################################### [ ocsp_req ] *** do I have to generate this key or will it be generated automaticaly *** I assumed it contains the key of the requester or the request itself? default_keyfile = key.pem #################################################################### [ ocsp_response ] dir = /RA/etc/ocspd *** don't understand this one ??? ocsp_add_response_certs = $dir/certs/chain_certs.pem ocsp_add_response_keyid = yes next_update_days = 0 next_update_mins = 5 snap snip basicConstraints=CA:FALSE # For an object signing certificate this would be used. *** do I better uncomment this #nsCertType = objsign *** do I have to activate nsCertType nsCertType = server keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment *** copied the $PREFIX/OpenCA/etc/openssl/Web_Server.ext to OCSPResponder.ext and added OCSPSigning to extendedKeyUsage *** do I have to remove serverAuth??? extendedKeyUsage = serverAuth, OCSPSigning nsComment = "WWW-Server of Lynx-Consulting AG" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always subjectAltName=${ENV::subjectAltName} issuerAltName=issuer:copy nsCaRevocationUrl = http://ra.lynx.de/pub/crl/cacrl.crl nsRevocationUrl = http://ra.lynx.de/pub/crl/cacrl.crl crlDistributionPoints = URI:http://ra.lynx.de/pub/crl/cacrl.crl snap Do I have to start $PREFIX/etc/init.d/rcd.ocspd manually or via inetd? I had to alter $PREFIX/etc/init.d/rcd.ocspd and make it executable because there were no function directory! Is that o.k.? snip # Source function library. #. /etc/rc.d/init.d/functions snap When I am starting $PREFIX/etc/init.d/rcd.ocspd manually I get: Starting OCSP Responder: ./rcd.ocspd: line 45: 13095 Segmentation fault $ocspd -c $conf -v -d Done. Best Thanks cu2 Nick |