From: Wytze v. d. R. <wr...@us...> - 2014-09-04 13:40:11
|
Hi Sylvain, On 09/03/2014 05:43 PM, Sylvain Munaut wrote: > I'm trying to setup the responder to respond on behalf on several CA. > Each OCSP signing cert has a different key pair. > > So I configured several tokens and appropriately point to them in the > ca.d/*.xml files for the various CA I'm trying to support. > > But it's always the default one that's used. And looking at the code, > it clearly seems wrong: > > The make_ocsp_response method looks for a CA specific token and the > debug output confirms it finds it. Then that 'tk' pointed is used > nowhere ... when calling sign_ocsp_response, only signCert is given > (which is NULL since it's only set for multiple cert using the default > token) and then sign_ocsp_responses just takes the conf->tk .... Yes, this is a long-standing problem with the OpenCA ocspd implementation. My work-around is to use the *same* key for generating the CSRs for each OCSP signing certificate of your set of CAs. Then it does not matter anymore that OpenCA always uses the default key, they are all the same anyway. But clearly a solution in the code base would be preferable. It looks though like that would require quite a bit of code rework. Regards, Wytze van der Raay |