rpms / ocspd

Clone
Source Code
GIT

Blame ocspd-1.7.0-config.patch

epel8 epel8-playground f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f8 f9 main rawhide
  1.   f37
  2.   ocspd-1.7.0-config.patch
Blob History Raw
Patrick Monnerat 94d50ff 
diff -Naurp openca-ocspd-1.7.0.orig/docs/ocspd.conf.3 openca-ocspd-1.7.0.new/docs/ocspd.conf.3
Patrick Monnerat 94d50ff 
--- openca-ocspd-1.7.0.orig/docs/ocspd.conf.3	2008-02-15 00:24:15.000000000 +0100
Patrick Monnerat 94d50ff 
+++ openca-ocspd-1.7.0.new/docs/ocspd.conf.3	2013-11-04 20:08:27.870767852 +0100
Patrick Monnerat 94d50ff 
@@ -218,7 +218,7 @@ Following is a sample configuration file
Patrick Monnerat 94d50ff 
 \& group                   = daemon
Patrick Monnerat 94d50ff 
 \& bind                    = *
Patrick Monnerat 94d50ff 
 \& port                    = 2560
Patrick Monnerat 94d50ff 
-\& max_childs_num          = 5
Patrick Monnerat 94d50ff 
+\& threads_num             = 150
Patrick Monnerat 94d50ff 
 \& max_req_size            = 8192
Patrick Monnerat 94d50ff 
 .Ve
Patrick Monnerat 94d50ff 
 .PP
Patrick Monnerat 94d50ff 
@@ -261,7 +261,7 @@ Following is a sample configuration file
Patrick Monnerat 94d50ff 
 \& [ dbms_ldap ]
Patrick Monnerat 94d50ff 
 .Ve
Patrick Monnerat 94d50ff 
 .PP
Patrick Monnerat 94d50ff 
-.Vb 31
Patrick Monnerat 94d50ff 
+.Vb 33
Patrick Monnerat 94d50ff 
 \& # It is possible to use an URI to identify a CRL and/or the
Patrick Monnerat 94d50ff 
 \& # CA certificate, the general format is:
Patrick Monnerat 94d50ff 
 \& #
Patrick Monnerat 94d50ff 
@@ -281,18 +281,21 @@ Following is a sample configuration file
Patrick Monnerat 94d50ff 
 \& #
Patrick Monnerat 94d50ff 
 \& # You can have the CRLs/CA certificates on a simple file
Patrick Monnerat 94d50ff 
 \& #    crl_url = file:///usr/local/etc/ocspd/crl.pem
Patrick Monnerat 94d50ff 
+\& #    ca_url = file:///usr/local/etc/ocspd/ca.pem
Patrick Monnerat 94d50ff 
 \& #
Patrick Monnerat 94d50ff 
 \& # You can retrieve the CRLs/CA certificates from a web server
Patrick Monnerat 94d50ff 
-\& #    crl_urt = http://server/ca/cacert.der
Patrick Monnerat 94d50ff 
+\& #    crl_url = http://server/ca/cacert.crl.der
Patrick Monnerat 94d50ff 
+\& #    ca_url = http://server/ca/cacert.der
Patrick Monnerat 94d50ff 
 \& #
Patrick Monnerat 94d50ff 
 \& # You can store the CRL into an LDAP server, simply
Patrick Monnerat 94d50ff 
 \& # store it in certificateRevocationList;binary attribute
Patrick Monnerat 94d50ff 
 \& #
Patrick Monnerat 94d50ff 
-\& # There are different way, all legal, to specify the CRL
Patrick Monnerat 94d50ff 
+\& # There are different way, all legal, to specify the CRL/CA
Patrick Monnerat 94d50ff 
 \& # URL address:
Patrick Monnerat 94d50ff 
 \& # crl_url = ldap://user:pwd@ldap.server.org:389
Patrick Monnerat 94d50ff 
 \& # crl_url = ldap://ldap.server.org:389
Patrick Monnerat 94d50ff 
 \& crl_url = ldap://localhost
Patrick Monnerat 94d50ff 
+\& ca_url = ldap://localhost
Patrick Monnerat 94d50ff 
 .Ve
Patrick Monnerat 94d50ff 
 .PP
Patrick Monnerat 94d50ff 
 .Vb 5
Patrick Monnerat 94d50ff 
@@ -303,6 +306,46 @@ Following is a sample configuration file
Patrick Monnerat 94d50ff 
 \&                                             o=Organization, c=IT"
Patrick Monnerat 94d50ff 
 .Ve
Patrick Monnerat 94d50ff 
 .PP
Patrick Monnerat 94d50ff 
+.Vb 12
Patrick Monnerat 94d50ff 
+\& # To retrieve the CRL from LDAP the attribute where it is stored is to
Patrick Monnerat 94d50ff 
+\& # be specified. Usually this should be set to:
Patrick Monnerat 94d50ff 
+\& #
Patrick Monnerat 94d50ff 
+\& #     certificateRevocationList;binary
Patrick Monnerat 94d50ff 
+\& #
Patrick Monnerat 94d50ff 
+\& # anyway existing LDAP installations or new standards can mandate
Patrick Monnerat 94d50ff 
+\& # for different attributes for storing CRLs into. Use this parameter
Patrick Monnerat 94d50ff 
+\& # to specify the attribute used to retrieve the CRL from.
Patrick Monnerat 94d50ff 
+\& #
Patrick Monnerat 94d50ff 
+\& # This option is needed only if the CRL is stored on LDAP
Patrick Monnerat 94d50ff 
+\& crl_entry_attribute = "certificateRevocationList;binary"
Patrick Monnerat 94d50ff 
+.Ve
Patrick Monnerat 94d50ff 
+.PP
Patrick Monnerat 94d50ff 
+.Vb 8
Patrick Monnerat 94d50ff 
+\& # We need the CA certificate for every CA we support. Upon loading
Patrick Monnerat 94d50ff 
+\& # the CRL and the CA certificate a simple check is made to ensure
Patrick Monnerat 94d50ff 
+\& # the CRL/CA certificate matching. Also the CA certificate is used
Patrick Monnerat 94d50ff 
+\& # to retrieve the CID used to identify the certificate being
Patrick Monnerat 94d50ff 
+\& # requested by the client (CID of the Issuer + serial Number).
Patrick Monnerat 94d50ff 
+\& # Like the CRL URL, the URL scheme for the CA may be file, ldap or http.
Patrick Monnerat 94d50ff 
+\& ca_url  = ldap://localhost
Patrick Monnerat 94d50ff 
+.Ve
Patrick Monnerat 94d50ff 
+.PP
Patrick Monnerat 94d50ff 
+.Vb 3
Patrick Monnerat 94d50ff 
+\& # DN where the cACertificate;binary value can be downloaded
Patrick Monnerat 94d50ff 
+\& # This option is needed only if the CA Certificate is stored on LDAP
Patrick Monnerat 94d50ff 
+\& ca_entry_dn = "o=Organisation, c=IT"
Patrick Monnerat 94d50ff 
+.Ve
Patrick Monnerat 94d50ff 
+.PP
Patrick Monnerat 94d50ff 
+.Vb 2
Patrick Monnerat 94d50ff 
+\& # This is the attribute used to store the CA.
Patrick Monnerat 94d50ff 
+\& ca_entry_attribute = "caCertificate;binary"
Patrick Monnerat 94d50ff 
+.Ve
Patrick Monnerat 94d50ff 
+.PP
Patrick Monnerat 94d50ff 
+.Vb 2
Patrick Monnerat 94d50ff 
+\& # Server Certificate to attach to the response
Patrick Monnerat 94d50ff 
+\& server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
Patrick Monnerat 94d50ff 
+.Ve
Patrick Monnerat 94d50ff 
+.PP
Patrick Monnerat 94d50ff 
 .Vb 2
Patrick Monnerat 94d50ff 
 \& ####################################################################
Patrick Monnerat 94d50ff 
 \& [ dbms_file ]
Patrick Monnerat 94d50ff 
@@ -371,6 +414,11 @@ to every available interface, simply use
Patrick Monnerat 94d50ff 
 .IP "\fBport\fR" 6
Patrick Monnerat 94d50ff 
 .IX Item "port"
Patrick Monnerat 94d50ff 
 specifies the port to listen to.
Patrick Monnerat 94d50ff 
+.IP "\fBmax_req_size\fR" 6
Patrick Monnerat 94d50ff 
+.IX Item "max_req_size"
Patrick Monnerat 94d50ff 
+Maximum size of received request, if a received request is bigger it
Patrick Monnerat 94d50ff 
+will be trashed. Usually simple requests are 200/300 bytes long (more
Patrick Monnerat 94d50ff 
+or less).
Patrick Monnerat 94d50ff 
 .IP "\fBthreads_num\fR" 6
Patrick Monnerat 94d50ff 
 .IX Item "threads_num"
Patrick Monnerat 94d50ff 
 Number of threads that shall be created at startup time, the
Patrick Monnerat 94d50ff 
@@ -381,6 +429,21 @@ and processors.
Patrick Monnerat 94d50ff 
 From version 1.5+ the server is not pre\-forked, instead it is
Patrick Monnerat 94d50ff 
 a pre-threaded one. In order to run the server needs support
Patrick Monnerat 94d50ff 
 for \s-1POSIX1\s0.c as found in most modern UNiX systems.
Patrick Monnerat 94d50ff 
+.IP "\fBmax_client_num\fR" 6
Patrick Monnerat 94d50ff 
+.IX Item "max_client_num"
Patrick Monnerat 94d50ff 
+Length of the system's listen() queue. Up to this number of not-yet-served
Patrick Monnerat 94d50ff 
+connection requests are queued by the system. Additional ones are dropped.
Patrick Monnerat 94d50ff 
+Default is 30.
Patrick Monnerat 94d50ff 
+.IP "\fBmax_timeout_secs\fR" 6
Patrick Monnerat 94d50ff 
+.IX Item "max_timeout_secs"
Patrick Monnerat 94d50ff 
+Max timeout for request receiving. If a request is not received
Patrick Monnerat 94d50ff 
+within the specified number of seconds then the socket is closed
Patrick Monnerat 94d50ff 
+in order to free unused threads. If not set, the default value
Patrick Monnerat 94d50ff 
+is 5 seconds.
Patrick Monnerat 94d50ff 
+.IP "\fBhttp_proto\fR" 6
Patrick Monnerat 94d50ff 
+.IX Item "http_proto"
Patrick Monnerat 94d50ff 
+ HTTP protocol version to be required. If 1.1 is specified, then
Patrick Monnerat 94d50ff 
+the "Host: <addr>" name is also used in the header of HTTP GET requests.
Patrick Monnerat 94d50ff 
 .IP "\fBchroot_dir\fR" 6
Patrick Monnerat 94d50ff 
 .IX Item "chroot_dir"
Patrick Monnerat 94d50ff 
 Chroot the application into the specified directory, watch
Patrick Monnerat 94d50ff 
@@ -392,11 +455,24 @@ privileges dropping, privileges will not
Patrick Monnerat 94d50ff 
 error will be written in the logfile, but the server will
Patrick Monnerat 94d50ff 
 continue to run assuming the \fIchroot()\fR is sufficiently isolated
Patrick Monnerat 94d50ff 
 to prevent abuse of the machine.
Patrick Monnerat 94d50ff 
-.IP "\fBmax_req_size\fR" 6
Patrick Monnerat 94d50ff 
-.IX Item "max_req_size"
Patrick Monnerat 94d50ff 
-maximum size of received request, if a received request is bigger it
Patrick Monnerat 94d50ff 
-will be trashed. Usually simple requests are 200/300 bytes long (more
Patrick Monnerat 94d50ff 
-or less).
Patrick Monnerat 94d50ff 
+.IP "\fBcrl_auto_reload\fR" 6
Patrick Monnerat 94d50ff 
+.IX Item "crl_auto_reload"
Patrick Monnerat 94d50ff 
+Auto Reload interval of CRL in seconds. If set to 0 or not present, to
Patrick Monnerat 94d50ff 
+reload the CRL you'll need to send a SIGHUP (kill -1 <pid>)
Patrick Monnerat 94d50ff 
+to the parent process.
Patrick Monnerat 94d50ff 
+.IP "\fBcrl_check_validity\fR" 6
Patrick Monnerat 94d50ff 
+.IX Item "crl_check_validity"
Patrick Monnerat 94d50ff 
+CRL validity check period in seconds. If this parameter is set to #n
Patrick Monnerat 94d50ff 
+then the CRL is checked every #n secs and if the CRL's validity
Patrick Monnerat 94d50ff 
+period is expired then all the responses will be set to 'unknown'.
Patrick Monnerat 94d50ff 
+If is set to '0' or not specified, all
Patrick Monnerat 94d50ff 
+responses will be based on the loaded CRL, no matter if it
Patrick Monnerat 94d50ff 
+is expired or not.
Patrick Monnerat 94d50ff 
+.IP "\fBcrl_reload_expired\fR" 6
Patrick Monnerat 94d50ff 
+.IX Item "crl_reload_expired"
Patrick Monnerat 94d50ff 
+If the currently loaded CRL is expired, reload it. Set this parameter to "yes"
Patrick Monnerat 94d50ff 
+only if you are sure that the new CRL will be issued and put
Patrick Monnerat 94d50ff 
+in the crl_url location.
Patrick Monnerat 94d50ff 
 .RE
Patrick Monnerat 94d50ff 
 .IP "\fBrequest section\fR"
Patrick Monnerat 94d50ff 
 .IX Item "request section"
Patrick Monnerat 94d50ff 
diff -Naurp openca-ocspd-1.7.0.orig/etc/ocspd.conf.in openca-ocspd-1.7.0.new/etc/ocspd.conf.in
Patrick Monnerat 94d50ff 
--- openca-ocspd-1.7.0.orig/etc/ocspd.conf.in	2013-11-04 19:06:08.816610001 +0100
Patrick Monnerat 94d50ff 
+++ openca-ocspd-1.7.0.new/etc/ocspd.conf.in	2013-11-04 19:19:28.046227727 +0100
Patrick Monnerat 94d50ff 
@@ -135,7 +135,7 @@ ocsp_add_response_keyid	= yes
Patrick Monnerat 94d50ff 
 # NOTE: Firefox/Mozilla do not parse correctly the OCSP answer in
Patrick Monnerat 94d50ff 
 # case the nextUpdate field is missing. It is therefore suggested
Patrick Monnerat 94d50ff 
 # to use the next_update_mins set (e.g. 5 minutes) to have mozilla's
Patrick Monnerat 94d50ff 
-# software correclty work with OCSP enabled.
Patrick Monnerat 94d50ff 
+# software correctly work with OCSP enabled.
Patrick Monnerat 94d50ff 
 next_update_days	= 0
Patrick Monnerat 94d50ff 
 next_update_mins	= 5
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
@@ -185,11 +185,16 @@ crl_entry_attribute = "certificateRevoca
Patrick Monnerat 94d50ff 
 # the CRL/CA certificate matching. Also the CA certificate is used
Patrick Monnerat 94d50ff 
 # to retrieve the CID used to identify the certificate being
Patrick Monnerat 94d50ff 
 # requested by the client (CID of the Issuer + serial Number).
Patrick Monnerat 94d50ff 
-#
Patrick Monnerat 94d50ff 
+# Like the CRL URL, the URL scheme for the CA may be file, ldap or http.
Patrick Monnerat 94d50ff 
+ca_url  = ldap://localhost
Patrick Monnerat 94d50ff 
+
Patrick Monnerat 94d50ff 
 # DN where the cACertificate;binary value can be downloaded
Patrick Monnerat 94d50ff 
 # This option is needed only if the CA Certificate is stored on LDAP
Patrick Monnerat 94d50ff 
 ca_entry_dn = "o=Organisation, c=IT"
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
+# This is the attribute used to store the CA.
Patrick Monnerat 94d50ff 
+ca_entry_attribute = "caCertificate;binary"
Patrick Monnerat 94d50ff 
+
Patrick Monnerat 94d50ff 
 # Server Certificate to attach to the response
Patrick Monnerat 94d50ff 
 server_cert = file://@sysconfdirvalue@/ocspd/certs/ocspd_cert.pem
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
diff -Naurp openca-ocspd-1.7.0.orig/examples/ocspd.conf openca-ocspd-1.7.0.new/examples/ocspd.conf
Patrick Monnerat 94d50ff 
--- openca-ocspd-1.7.0.orig/examples/ocspd.conf	2013-11-04 19:06:08.816610001 +0100
Patrick Monnerat 94d50ff 
+++ openca-ocspd-1.7.0.new/examples/ocspd.conf	2013-11-04 19:31:23.822329525 +0100
Patrick Monnerat 94d50ff 
@@ -32,7 +32,38 @@ port		 	= 2560
Patrick Monnerat 94d50ff 
 # Max size of accepted requests. Data connection will be closed
Patrick Monnerat 94d50ff 
 # in case this size will be reached.
Patrick Monnerat 94d50ff 
 max_req_size	 	= 8192
Patrick Monnerat 94d50ff 
-max_childs_num		= 1
Patrick Monnerat 94d50ff 
+
Patrick Monnerat 94d50ff 
+# Number of threads that shall be created at startup time, the
Patrick Monnerat 94d50ff 
+# more threads, the better for handling very high traffic. We
Patrick Monnerat 94d50ff 
+# expect to have better performances on multi-threaded machines
Patrick Monnerat 94d50ff 
+# and processors.
Patrick Monnerat 94d50ff 
+threads_num		= 150
Patrick Monnerat 94d50ff 
+
Patrick Monnerat 94d50ff 
+# Size of the system listen() queue. This allows buffering connection
Patrick Monnerat 94d50ff 
+# requests for later processing when all threads are already busy.
Patrick Monnerat 94d50ff 
+#max_client_num		= 30
Patrick Monnerat 94d50ff 
+
Patrick Monnerat 94d50ff 
+# Max timeout for request receiving. If a request is not received
Patrick Monnerat 94d50ff 
+# within the specified number of seconds then the socket is closed
Patrick Monnerat 94d50ff 
+# in order to free unused threads. If not set, the default value
Patrick Monnerat 94d50ff 
+# is 5 seconds
Patrick Monnerat 94d50ff 
+max_timeout_secs	= 5
Patrick Monnerat 94d50ff 
+
Patrick Monnerat 94d50ff 
+# HTTP protocol version to be required. If 1.1 is specified, then
Patrick Monnerat 94d50ff 
+# the "Host: <addr>" name is also used in the header of HTTP GET
Patrick Monnerat 94d50ff 
+# requests
Patrick Monnerat 94d50ff 
+http_proto		= 1.1
Patrick Monnerat 94d50ff 
+
Patrick Monnerat 94d50ff 
+# Chroot the application into the specified directory, whatch
Patrick Monnerat 94d50ff 
+# out because if you chroot the application, all the paths
Patrick Monnerat 94d50ff 
+# should be relative to the new root for CRL reloading or
Patrick Monnerat 94d50ff 
+# (better solution) you have to download the CRLs from HTTP or
Patrick Monnerat 94d50ff 
+# LDAP. If you chroot and you do not provide support for
Patrick Monnerat 94d50ff 
+# privileges dropping, privileges will not be dropped and an
Patrick Monnerat 94d50ff 
+# error will be written in the logfile, but the server will
Patrick Monnerat 94d50ff 
+# continue to run assuming the chroot() is sufficiently isolated
Patrick Monnerat 94d50ff 
+# to prevent abuse of the machine.
Patrick Monnerat 94d50ff 
+#chroot_dir		= /etc/ocspd
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
 # Auto Reload interval of CRL (if set to 0 or not present, to
Patrick Monnerat 94d50ff 
 # reload the CRL you'll need to send a SIGHUP (kill -1 <pid>)
Patrick Monnerat 94d50ff 
@@ -100,6 +131,11 @@ ocsp_add_response_keyid	= yes
Patrick Monnerat 94d50ff 
 # in the OCSP response will be left NULL indicating new data
Patrick Monnerat 94d50ff 
 # can be made available anytime (this is true if you are issuing
Patrick Monnerat 94d50ff 
 # new CRLs every time a revocation takes place)
Patrick Monnerat 94d50ff 
+#
Patrick Monnerat 94d50ff 
+# NOTE: Firefox/Mozilla do not parse correctly the OCSP answer in
Patrick Monnerat 94d50ff 
+# case the nextUpdate field is missing. It is therefore suggested
Patrick Monnerat 94d50ff 
+# to use the next_update_mins set (e.g. 5 minutes) to have mozilla's
Patrick Monnerat 94d50ff 
+# software correctly work with OCSP enabled.
Patrick Monnerat 94d50ff 
 next_update_days	= 0
Patrick Monnerat 94d50ff 
 next_update_mins	= 5
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
@@ -113,6 +149,9 @@ next_update_mins	= 5
Patrick Monnerat 94d50ff 
 # You can have the CRL on a simple file
Patrick Monnerat 94d50ff 
 # crl_url = file:///etc/ocspd/crls/crl.pem
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
+# You can have the CRL retrieved from an HTTP server
Patrick Monnerat 94d50ff 
+# crl_url = http://[user[:pwd]@]server[:port]/path_to_crl
Patrick Monnerat 94d50ff 
+
Patrick Monnerat 94d50ff 
 # You can store the CRL into an LDAP server, simply
Patrick Monnerat 94d50ff 
 # store it in certificateRevocationList;binary attribute
Patrick Monnerat 94d50ff 
 #
Patrick Monnerat 94d50ff 
@@ -146,11 +185,18 @@ crl_entry_attribute = "certificateRevoca
Patrick Monnerat 94d50ff 
 # the CRL/CA certificate matching. Also the CA certificate is used
Patrick Monnerat 94d50ff 
 # to retrieve the CID used to identify the certificate being
Patrick Monnerat 94d50ff 
 # requested by the client (CID of the Issuer + serial Number).
Patrick Monnerat 94d50ff 
-#
Patrick Monnerat 94d50ff 
+# Like the CRL URL, the URL scheme for the CA may be file, ldap or http.
Patrick Monnerat 94d50ff 
+ca_url  = ldap://localhost
Patrick Monnerat 94d50ff 
+
Patrick Monnerat 94d50ff 
 # DN where the cACertificate;binary value can be downloaded
Patrick Monnerat 94d50ff 
 # This option is needed only if the CA Certificate is stored on LDAP
Patrick Monnerat 94d50ff 
 ca_entry_dn = "o=Organisation, c=IT"
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
+# This is the attribute used to store the CA.
Patrick Monnerat 94d50ff 
+ca_entry_attribute = "caCertificate;binary"
Patrick Monnerat 94d50ff 
+
Patrick Monnerat 94d50ff 
+# Server Certificate to attach to the response
Patrick Monnerat 94d50ff 
+server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
 ####################################################################
Patrick Monnerat 94d50ff 
 [ dbms_file ]
Patrick Monnerat 94d50ff 
@@ -164,12 +210,15 @@ ca_entry_dn = "o=Organisation, c=IT"
Patrick Monnerat 94d50ff 
 [ first_ca ]
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
 # You can have the CRL on a simple file in PEM format
Patrick Monnerat 94d50ff 
-crl_url = file:///etc/ocspd/crls/crl_07.crl
Patrick Monnerat 94d50ff 
+crl_url = file:///etc/ocspd/crls/crl_01.crl
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
 # We need the CA certificate for every supported CRL
Patrick Monnerat 94d50ff 
 # ca_url  = file:///etc/ocspd/certs/1st_cacert.pem
Patrick Monnerat 94d50ff 
 ca_url  = file:///etc/ocspd/certs/cacert.pem
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
+# Server Certificate to attach to the response
Patrick Monnerat 94d50ff 
+server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
Patrick Monnerat 94d50ff 
+
Patrick Monnerat 94d50ff 
 ####################################################################
Patrick Monnerat 94d50ff 
 [ second_ca ]
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
@@ -179,6 +228,9 @@ crl_url = file:///etc/ocspd/crls/crl_01.
Patrick Monnerat 94d50ff 
 # We need the CA certificate for every supported CRL
Patrick Monnerat 94d50ff 
 ca_url  = file:///etc/ocspd/certs/2nd_cacert.pem
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
+# Server Certificate to attach to the response
Patrick Monnerat 94d50ff 
+server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
Patrick Monnerat 94d50ff 
+
Patrick Monnerat 94d50ff 
 ####################################################################
Patrick Monnerat 94d50ff 
 [ HSM ]
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
@@ -207,9 +259,10 @@ engine_id = LunaCA3
Patrick Monnerat 94d50ff 
 # high application id 10, low app id 11 and password "myPassword"
Patrick Monnerat 94d50ff 
 1.engine_pre = login:1:10:11:myPassword
Patrick Monnerat 94d50ff
Patrick Monnerat 94d50ff 
-# Some HSMs need to perform commands before the application can exit
Patrick Monnerat 94d50ff 
-# it is therefore available the 'engine_post' option. Usage and format
Patrick Monnerat 94d50ff 
+# Some HSMs need to perform commands after the ENGINE initialisation
Patrick Monnerat 94d50ff 
+# which are taken from the 'engine_post' option. Usage and format
Patrick Monnerat 94d50ff 
 # is exactly the same as 'engine_pre', the difference is that commands
Patrick Monnerat 94d50ff 
-# are sent to the HSM just before server shutdown.
Patrick Monnerat 94d50ff 
+# are sent to the HSM after the ENGINE_init() function. Refer to your
Patrick Monnerat 94d50ff 
+# HSM documentation for more informations
Patrick Monnerat 94d50ff 
 # 0.engine_post = logout:1:10:11
Patrick Monnerat 94d50ff
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.