|
Patrick Monnerat |
94d50ff |
diff -Naurp openca-ocspd-1.7.0.orig/docs/ocspd.conf.3 openca-ocspd-1.7.0.new/docs/ocspd.conf.3
|
|
Patrick Monnerat |
94d50ff |
--- openca-ocspd-1.7.0.orig/docs/ocspd.conf.3 2008-02-15 00:24:15.000000000 +0100
|
|
Patrick Monnerat |
94d50ff |
+++ openca-ocspd-1.7.0.new/docs/ocspd.conf.3 2013-11-04 20:08:27.870767852 +0100
|
|
Patrick Monnerat |
94d50ff |
@@ -218,7 +218,7 @@ Following is a sample configuration file
|
|
Patrick Monnerat |
94d50ff |
\& group = daemon
|
|
Patrick Monnerat |
94d50ff |
\& bind = *
|
|
Patrick Monnerat |
94d50ff |
\& port = 2560
|
|
Patrick Monnerat |
94d50ff |
-\& max_childs_num = 5
|
|
Patrick Monnerat |
94d50ff |
+\& threads_num = 150
|
|
Patrick Monnerat |
94d50ff |
\& max_req_size = 8192
|
|
Patrick Monnerat |
94d50ff |
.Ve
|
|
Patrick Monnerat |
94d50ff |
.PP
|
|
Patrick Monnerat |
94d50ff |
@@ -261,7 +261,7 @@ Following is a sample configuration file
|
|
Patrick Monnerat |
94d50ff |
\& [ dbms_ldap ]
|
|
Patrick Monnerat |
94d50ff |
.Ve
|
|
Patrick Monnerat |
94d50ff |
.PP
|
|
Patrick Monnerat |
94d50ff |
-.Vb 31
|
|
Patrick Monnerat |
94d50ff |
+.Vb 33
|
|
Patrick Monnerat |
94d50ff |
\& # It is possible to use an URI to identify a CRL and/or the
|
|
Patrick Monnerat |
94d50ff |
\& # CA certificate, the general format is:
|
|
Patrick Monnerat |
94d50ff |
\& #
|
|
Patrick Monnerat |
94d50ff |
@@ -281,18 +281,21 @@ Following is a sample configuration file
|
|
Patrick Monnerat |
94d50ff |
\& #
|
|
Patrick Monnerat |
94d50ff |
\& # You can have the CRLs/CA certificates on a simple file
|
|
Patrick Monnerat |
94d50ff |
\& # crl_url = file:///usr/local/etc/ocspd/crl.pem
|
|
Patrick Monnerat |
94d50ff |
+\& # ca_url = file:///usr/local/etc/ocspd/ca.pem
|
|
Patrick Monnerat |
94d50ff |
\& #
|
|
Patrick Monnerat |
94d50ff |
\& # You can retrieve the CRLs/CA certificates from a web server
|
|
Patrick Monnerat |
94d50ff |
-\& # crl_urt = http://server/ca/cacert.der
|
|
Patrick Monnerat |
94d50ff |
+\& # crl_url = http://server/ca/cacert.crl.der
|
|
Patrick Monnerat |
94d50ff |
+\& # ca_url = http://server/ca/cacert.der
|
|
Patrick Monnerat |
94d50ff |
\& #
|
|
Patrick Monnerat |
94d50ff |
\& # You can store the CRL into an LDAP server, simply
|
|
Patrick Monnerat |
94d50ff |
\& # store it in certificateRevocationList;binary attribute
|
|
Patrick Monnerat |
94d50ff |
\& #
|
|
Patrick Monnerat |
94d50ff |
-\& # There are different way, all legal, to specify the CRL
|
|
Patrick Monnerat |
94d50ff |
+\& # There are different way, all legal, to specify the CRL/CA
|
|
Patrick Monnerat |
94d50ff |
\& # URL address:
|
|
Patrick Monnerat |
94d50ff |
\& # crl_url = ldap://user:pwd@ldap.server.org:389
|
|
Patrick Monnerat |
94d50ff |
\& # crl_url = ldap://ldap.server.org:389
|
|
Patrick Monnerat |
94d50ff |
\& crl_url = ldap://localhost
|
|
Patrick Monnerat |
94d50ff |
+\& ca_url = ldap://localhost
|
|
Patrick Monnerat |
94d50ff |
.Ve
|
|
Patrick Monnerat |
94d50ff |
.PP
|
|
Patrick Monnerat |
94d50ff |
.Vb 5
|
|
Patrick Monnerat |
94d50ff |
@@ -303,6 +306,46 @@ Following is a sample configuration file
|
|
Patrick Monnerat |
94d50ff |
\& o=Organization, c=IT"
|
|
Patrick Monnerat |
94d50ff |
.Ve
|
|
Patrick Monnerat |
94d50ff |
.PP
|
|
Patrick Monnerat |
94d50ff |
+.Vb 12
|
|
Patrick Monnerat |
94d50ff |
+\& # To retrieve the CRL from LDAP the attribute where it is stored is to
|
|
Patrick Monnerat |
94d50ff |
+\& # be specified. Usually this should be set to:
|
|
Patrick Monnerat |
94d50ff |
+\& #
|
|
Patrick Monnerat |
94d50ff |
+\& # certificateRevocationList;binary
|
|
Patrick Monnerat |
94d50ff |
+\& #
|
|
Patrick Monnerat |
94d50ff |
+\& # anyway existing LDAP installations or new standards can mandate
|
|
Patrick Monnerat |
94d50ff |
+\& # for different attributes for storing CRLs into. Use this parameter
|
|
Patrick Monnerat |
94d50ff |
+\& # to specify the attribute used to retrieve the CRL from.
|
|
Patrick Monnerat |
94d50ff |
+\& #
|
|
Patrick Monnerat |
94d50ff |
+\& # This option is needed only if the CRL is stored on LDAP
|
|
Patrick Monnerat |
94d50ff |
+\& crl_entry_attribute = "certificateRevocationList;binary"
|
|
Patrick Monnerat |
94d50ff |
+.Ve
|
|
Patrick Monnerat |
94d50ff |
+.PP
|
|
Patrick Monnerat |
94d50ff |
+.Vb 8
|
|
Patrick Monnerat |
94d50ff |
+\& # We need the CA certificate for every CA we support. Upon loading
|
|
Patrick Monnerat |
94d50ff |
+\& # the CRL and the CA certificate a simple check is made to ensure
|
|
Patrick Monnerat |
94d50ff |
+\& # the CRL/CA certificate matching. Also the CA certificate is used
|
|
Patrick Monnerat |
94d50ff |
+\& # to retrieve the CID used to identify the certificate being
|
|
Patrick Monnerat |
94d50ff |
+\& # requested by the client (CID of the Issuer + serial Number).
|
|
Patrick Monnerat |
94d50ff |
+\& # Like the CRL URL, the URL scheme for the CA may be file, ldap or http.
|
|
Patrick Monnerat |
94d50ff |
+\& ca_url = ldap://localhost
|
|
Patrick Monnerat |
94d50ff |
+.Ve
|
|
Patrick Monnerat |
94d50ff |
+.PP
|
|
Patrick Monnerat |
94d50ff |
+.Vb 3
|
|
Patrick Monnerat |
94d50ff |
+\& # DN where the cACertificate;binary value can be downloaded
|
|
Patrick Monnerat |
94d50ff |
+\& # This option is needed only if the CA Certificate is stored on LDAP
|
|
Patrick Monnerat |
94d50ff |
+\& ca_entry_dn = "o=Organisation, c=IT"
|
|
Patrick Monnerat |
94d50ff |
+.Ve
|
|
Patrick Monnerat |
94d50ff |
+.PP
|
|
Patrick Monnerat |
94d50ff |
+.Vb 2
|
|
Patrick Monnerat |
94d50ff |
+\& # This is the attribute used to store the CA.
|
|
Patrick Monnerat |
94d50ff |
+\& ca_entry_attribute = "caCertificate;binary"
|
|
Patrick Monnerat |
94d50ff |
+.Ve
|
|
Patrick Monnerat |
94d50ff |
+.PP
|
|
Patrick Monnerat |
94d50ff |
+.Vb 2
|
|
Patrick Monnerat |
94d50ff |
+\& # Server Certificate to attach to the response
|
|
Patrick Monnerat |
94d50ff |
+\& server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
|
|
Patrick Monnerat |
94d50ff |
+.Ve
|
|
Patrick Monnerat |
94d50ff |
+.PP
|
|
Patrick Monnerat |
94d50ff |
.Vb 2
|
|
Patrick Monnerat |
94d50ff |
\& ####################################################################
|
|
Patrick Monnerat |
94d50ff |
\& [ dbms_file ]
|
|
Patrick Monnerat |
94d50ff |
@@ -371,6 +414,11 @@ to every available interface, simply use
|
|
Patrick Monnerat |
94d50ff |
.IP "\fBport\fR" 6
|
|
Patrick Monnerat |
94d50ff |
.IX Item "port"
|
|
Patrick Monnerat |
94d50ff |
specifies the port to listen to.
|
|
Patrick Monnerat |
94d50ff |
+.IP "\fBmax_req_size\fR" 6
|
|
Patrick Monnerat |
94d50ff |
+.IX Item "max_req_size"
|
|
Patrick Monnerat |
94d50ff |
+Maximum size of received request, if a received request is bigger it
|
|
Patrick Monnerat |
94d50ff |
+will be trashed. Usually simple requests are 200/300 bytes long (more
|
|
Patrick Monnerat |
94d50ff |
+or less).
|
|
Patrick Monnerat |
94d50ff |
.IP "\fBthreads_num\fR" 6
|
|
Patrick Monnerat |
94d50ff |
.IX Item "threads_num"
|
|
Patrick Monnerat |
94d50ff |
Number of threads that shall be created at startup time, the
|
|
Patrick Monnerat |
94d50ff |
@@ -381,6 +429,21 @@ and processors.
|
|
Patrick Monnerat |
94d50ff |
From version 1.5+ the server is not pre\-forked, instead it is
|
|
Patrick Monnerat |
94d50ff |
a pre-threaded one. In order to run the server needs support
|
|
Patrick Monnerat |
94d50ff |
for \s-1POSIX1\s0.c as found in most modern UNiX systems.
|
|
Patrick Monnerat |
94d50ff |
+.IP "\fBmax_client_num\fR" 6
|
|
Patrick Monnerat |
94d50ff |
+.IX Item "max_client_num"
|
|
Patrick Monnerat |
94d50ff |
+Length of the system's listen() queue. Up to this number of not-yet-served
|
|
Patrick Monnerat |
94d50ff |
+connection requests are queued by the system. Additional ones are dropped.
|
|
Patrick Monnerat |
94d50ff |
+Default is 30.
|
|
Patrick Monnerat |
94d50ff |
+.IP "\fBmax_timeout_secs\fR" 6
|
|
Patrick Monnerat |
94d50ff |
+.IX Item "max_timeout_secs"
|
|
Patrick Monnerat |
94d50ff |
+Max timeout for request receiving. If a request is not received
|
|
Patrick Monnerat |
94d50ff |
+within the specified number of seconds then the socket is closed
|
|
Patrick Monnerat |
94d50ff |
+in order to free unused threads. If not set, the default value
|
|
Patrick Monnerat |
94d50ff |
+is 5 seconds.
|
|
Patrick Monnerat |
94d50ff |
+.IP "\fBhttp_proto\fR" 6
|
|
Patrick Monnerat |
94d50ff |
+.IX Item "http_proto"
|
|
Patrick Monnerat |
94d50ff |
+ HTTP protocol version to be required. If 1.1 is specified, then
|
|
Patrick Monnerat |
94d50ff |
+the "Host: <addr>" name is also used in the header of HTTP GET requests.
|
|
Patrick Monnerat |
94d50ff |
.IP "\fBchroot_dir\fR" 6
|
|
Patrick Monnerat |
94d50ff |
.IX Item "chroot_dir"
|
|
Patrick Monnerat |
94d50ff |
Chroot the application into the specified directory, watch
|
|
Patrick Monnerat |
94d50ff |
@@ -392,11 +455,24 @@ privileges dropping, privileges will not
|
|
Patrick Monnerat |
94d50ff |
error will be written in the logfile, but the server will
|
|
Patrick Monnerat |
94d50ff |
continue to run assuming the \fIchroot()\fR is sufficiently isolated
|
|
Patrick Monnerat |
94d50ff |
to prevent abuse of the machine.
|
|
Patrick Monnerat |
94d50ff |
-.IP "\fBmax_req_size\fR" 6
|
|
Patrick Monnerat |
94d50ff |
-.IX Item "max_req_size"
|
|
Patrick Monnerat |
94d50ff |
-maximum size of received request, if a received request is bigger it
|
|
Patrick Monnerat |
94d50ff |
-will be trashed. Usually simple requests are 200/300 bytes long (more
|
|
Patrick Monnerat |
94d50ff |
-or less).
|
|
Patrick Monnerat |
94d50ff |
+.IP "\fBcrl_auto_reload\fR" 6
|
|
Patrick Monnerat |
94d50ff |
+.IX Item "crl_auto_reload"
|
|
Patrick Monnerat |
94d50ff |
+Auto Reload interval of CRL in seconds. If set to 0 or not present, to
|
|
Patrick Monnerat |
94d50ff |
+reload the CRL you'll need to send a SIGHUP (kill -1 <pid>)
|
|
Patrick Monnerat |
94d50ff |
+to the parent process.
|
|
Patrick Monnerat |
94d50ff |
+.IP "\fBcrl_check_validity\fR" 6
|
|
Patrick Monnerat |
94d50ff |
+.IX Item "crl_check_validity"
|
|
Patrick Monnerat |
94d50ff |
+CRL validity check period in seconds. If this parameter is set to #n
|
|
Patrick Monnerat |
94d50ff |
+then the CRL is checked every #n secs and if the CRL's validity
|
|
Patrick Monnerat |
94d50ff |
+period is expired then all the responses will be set to 'unknown'.
|
|
Patrick Monnerat |
94d50ff |
+If is set to '0' or not specified, all
|
|
Patrick Monnerat |
94d50ff |
+responses will be based on the loaded CRL, no matter if it
|
|
Patrick Monnerat |
94d50ff |
+is expired or not.
|
|
Patrick Monnerat |
94d50ff |
+.IP "\fBcrl_reload_expired\fR" 6
|
|
Patrick Monnerat |
94d50ff |
+.IX Item "crl_reload_expired"
|
|
Patrick Monnerat |
94d50ff |
+If the currently loaded CRL is expired, reload it. Set this parameter to "yes"
|
|
Patrick Monnerat |
94d50ff |
+only if you are sure that the new CRL will be issued and put
|
|
Patrick Monnerat |
94d50ff |
+in the crl_url location.
|
|
Patrick Monnerat |
94d50ff |
.RE
|
|
Patrick Monnerat |
94d50ff |
.IP "\fBrequest section\fR"
|
|
Patrick Monnerat |
94d50ff |
.IX Item "request section"
|
|
Patrick Monnerat |
94d50ff |
diff -Naurp openca-ocspd-1.7.0.orig/etc/ocspd.conf.in openca-ocspd-1.7.0.new/etc/ocspd.conf.in
|
|
Patrick Monnerat |
94d50ff |
--- openca-ocspd-1.7.0.orig/etc/ocspd.conf.in 2013-11-04 19:06:08.816610001 +0100
|
|
Patrick Monnerat |
94d50ff |
+++ openca-ocspd-1.7.0.new/etc/ocspd.conf.in 2013-11-04 19:19:28.046227727 +0100
|
|
Patrick Monnerat |
94d50ff |
@@ -135,7 +135,7 @@ ocsp_add_response_keyid = yes
|
|
Patrick Monnerat |
94d50ff |
# NOTE: Firefox/Mozilla do not parse correctly the OCSP answer in
|
|
Patrick Monnerat |
94d50ff |
# case the nextUpdate field is missing. It is therefore suggested
|
|
Patrick Monnerat |
94d50ff |
# to use the next_update_mins set (e.g. 5 minutes) to have mozilla's
|
|
Patrick Monnerat |
94d50ff |
-# software correclty work with OCSP enabled.
|
|
Patrick Monnerat |
94d50ff |
+# software correctly work with OCSP enabled.
|
|
Patrick Monnerat |
94d50ff |
next_update_days = 0
|
|
Patrick Monnerat |
94d50ff |
next_update_mins = 5
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
@@ -185,11 +185,16 @@ crl_entry_attribute = "certificateRevoca
|
|
Patrick Monnerat |
94d50ff |
# the CRL/CA certificate matching. Also the CA certificate is used
|
|
Patrick Monnerat |
94d50ff |
# to retrieve the CID used to identify the certificate being
|
|
Patrick Monnerat |
94d50ff |
# requested by the client (CID of the Issuer + serial Number).
|
|
Patrick Monnerat |
94d50ff |
-#
|
|
Patrick Monnerat |
94d50ff |
+# Like the CRL URL, the URL scheme for the CA may be file, ldap or http.
|
|
Patrick Monnerat |
94d50ff |
+ca_url = ldap://localhost
|
|
Patrick Monnerat |
94d50ff |
+
|
|
Patrick Monnerat |
94d50ff |
# DN where the cACertificate;binary value can be downloaded
|
|
Patrick Monnerat |
94d50ff |
# This option is needed only if the CA Certificate is stored on LDAP
|
|
Patrick Monnerat |
94d50ff |
ca_entry_dn = "o=Organisation, c=IT"
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
+# This is the attribute used to store the CA.
|
|
Patrick Monnerat |
94d50ff |
+ca_entry_attribute = "caCertificate;binary"
|
|
Patrick Monnerat |
94d50ff |
+
|
|
Patrick Monnerat |
94d50ff |
# Server Certificate to attach to the response
|
|
Patrick Monnerat |
94d50ff |
server_cert = file://@sysconfdirvalue@/ocspd/certs/ocspd_cert.pem
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
diff -Naurp openca-ocspd-1.7.0.orig/examples/ocspd.conf openca-ocspd-1.7.0.new/examples/ocspd.conf
|
|
Patrick Monnerat |
94d50ff |
--- openca-ocspd-1.7.0.orig/examples/ocspd.conf 2013-11-04 19:06:08.816610001 +0100
|
|
Patrick Monnerat |
94d50ff |
+++ openca-ocspd-1.7.0.new/examples/ocspd.conf 2013-11-04 19:31:23.822329525 +0100
|
|
Patrick Monnerat |
94d50ff |
@@ -32,7 +32,38 @@ port = 2560
|
|
Patrick Monnerat |
94d50ff |
# Max size of accepted requests. Data connection will be closed
|
|
Patrick Monnerat |
94d50ff |
# in case this size will be reached.
|
|
Patrick Monnerat |
94d50ff |
max_req_size = 8192
|
|
Patrick Monnerat |
94d50ff |
-max_childs_num = 1
|
|
Patrick Monnerat |
94d50ff |
+
|
|
Patrick Monnerat |
94d50ff |
+# Number of threads that shall be created at startup time, the
|
|
Patrick Monnerat |
94d50ff |
+# more threads, the better for handling very high traffic. We
|
|
Patrick Monnerat |
94d50ff |
+# expect to have better performances on multi-threaded machines
|
|
Patrick Monnerat |
94d50ff |
+# and processors.
|
|
Patrick Monnerat |
94d50ff |
+threads_num = 150
|
|
Patrick Monnerat |
94d50ff |
+
|
|
Patrick Monnerat |
94d50ff |
+# Size of the system listen() queue. This allows buffering connection
|
|
Patrick Monnerat |
94d50ff |
+# requests for later processing when all threads are already busy.
|
|
Patrick Monnerat |
94d50ff |
+#max_client_num = 30
|
|
Patrick Monnerat |
94d50ff |
+
|
|
Patrick Monnerat |
94d50ff |
+# Max timeout for request receiving. If a request is not received
|
|
Patrick Monnerat |
94d50ff |
+# within the specified number of seconds then the socket is closed
|
|
Patrick Monnerat |
94d50ff |
+# in order to free unused threads. If not set, the default value
|
|
Patrick Monnerat |
94d50ff |
+# is 5 seconds
|
|
Patrick Monnerat |
94d50ff |
+max_timeout_secs = 5
|
|
Patrick Monnerat |
94d50ff |
+
|
|
Patrick Monnerat |
94d50ff |
+# HTTP protocol version to be required. If 1.1 is specified, then
|
|
Patrick Monnerat |
94d50ff |
+# the "Host: <addr>" name is also used in the header of HTTP GET
|
|
Patrick Monnerat |
94d50ff |
+# requests
|
|
Patrick Monnerat |
94d50ff |
+http_proto = 1.1
|
|
Patrick Monnerat |
94d50ff |
+
|
|
Patrick Monnerat |
94d50ff |
+# Chroot the application into the specified directory, whatch
|
|
Patrick Monnerat |
94d50ff |
+# out because if you chroot the application, all the paths
|
|
Patrick Monnerat |
94d50ff |
+# should be relative to the new root for CRL reloading or
|
|
Patrick Monnerat |
94d50ff |
+# (better solution) you have to download the CRLs from HTTP or
|
|
Patrick Monnerat |
94d50ff |
+# LDAP. If you chroot and you do not provide support for
|
|
Patrick Monnerat |
94d50ff |
+# privileges dropping, privileges will not be dropped and an
|
|
Patrick Monnerat |
94d50ff |
+# error will be written in the logfile, but the server will
|
|
Patrick Monnerat |
94d50ff |
+# continue to run assuming the chroot() is sufficiently isolated
|
|
Patrick Monnerat |
94d50ff |
+# to prevent abuse of the machine.
|
|
Patrick Monnerat |
94d50ff |
+#chroot_dir = /etc/ocspd
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
# Auto Reload interval of CRL (if set to 0 or not present, to
|
|
Patrick Monnerat |
94d50ff |
# reload the CRL you'll need to send a SIGHUP (kill -1 <pid>)
|
|
Patrick Monnerat |
94d50ff |
@@ -100,6 +131,11 @@ ocsp_add_response_keyid = yes
|
|
Patrick Monnerat |
94d50ff |
# in the OCSP response will be left NULL indicating new data
|
|
Patrick Monnerat |
94d50ff |
# can be made available anytime (this is true if you are issuing
|
|
Patrick Monnerat |
94d50ff |
# new CRLs every time a revocation takes place)
|
|
Patrick Monnerat |
94d50ff |
+#
|
|
Patrick Monnerat |
94d50ff |
+# NOTE: Firefox/Mozilla do not parse correctly the OCSP answer in
|
|
Patrick Monnerat |
94d50ff |
+# case the nextUpdate field is missing. It is therefore suggested
|
|
Patrick Monnerat |
94d50ff |
+# to use the next_update_mins set (e.g. 5 minutes) to have mozilla's
|
|
Patrick Monnerat |
94d50ff |
+# software correctly work with OCSP enabled.
|
|
Patrick Monnerat |
94d50ff |
next_update_days = 0
|
|
Patrick Monnerat |
94d50ff |
next_update_mins = 5
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
@@ -113,6 +149,9 @@ next_update_mins = 5
|
|
Patrick Monnerat |
94d50ff |
# You can have the CRL on a simple file
|
|
Patrick Monnerat |
94d50ff |
# crl_url = file:///etc/ocspd/crls/crl.pem
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
+# You can have the CRL retrieved from an HTTP server
|
|
Patrick Monnerat |
94d50ff |
+# crl_url = http://[user[:pwd]@]server[:port]/path_to_crl
|
|
Patrick Monnerat |
94d50ff |
+
|
|
Patrick Monnerat |
94d50ff |
# You can store the CRL into an LDAP server, simply
|
|
Patrick Monnerat |
94d50ff |
# store it in certificateRevocationList;binary attribute
|
|
Patrick Monnerat |
94d50ff |
#
|
|
Patrick Monnerat |
94d50ff |
@@ -146,11 +185,18 @@ crl_entry_attribute = "certificateRevoca
|
|
Patrick Monnerat |
94d50ff |
# the CRL/CA certificate matching. Also the CA certificate is used
|
|
Patrick Monnerat |
94d50ff |
# to retrieve the CID used to identify the certificate being
|
|
Patrick Monnerat |
94d50ff |
# requested by the client (CID of the Issuer + serial Number).
|
|
Patrick Monnerat |
94d50ff |
-#
|
|
Patrick Monnerat |
94d50ff |
+# Like the CRL URL, the URL scheme for the CA may be file, ldap or http.
|
|
Patrick Monnerat |
94d50ff |
+ca_url = ldap://localhost
|
|
Patrick Monnerat |
94d50ff |
+
|
|
Patrick Monnerat |
94d50ff |
# DN where the cACertificate;binary value can be downloaded
|
|
Patrick Monnerat |
94d50ff |
# This option is needed only if the CA Certificate is stored on LDAP
|
|
Patrick Monnerat |
94d50ff |
ca_entry_dn = "o=Organisation, c=IT"
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
+# This is the attribute used to store the CA.
|
|
Patrick Monnerat |
94d50ff |
+ca_entry_attribute = "caCertificate;binary"
|
|
Patrick Monnerat |
94d50ff |
+
|
|
Patrick Monnerat |
94d50ff |
+# Server Certificate to attach to the response
|
|
Patrick Monnerat |
94d50ff |
+server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
####################################################################
|
|
Patrick Monnerat |
94d50ff |
[ dbms_file ]
|
|
Patrick Monnerat |
94d50ff |
@@ -164,12 +210,15 @@ ca_entry_dn = "o=Organisation, c=IT"
|
|
Patrick Monnerat |
94d50ff |
[ first_ca ]
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
# You can have the CRL on a simple file in PEM format
|
|
Patrick Monnerat |
94d50ff |
-crl_url = file:///etc/ocspd/crls/crl_07.crl
|
|
Patrick Monnerat |
94d50ff |
+crl_url = file:///etc/ocspd/crls/crl_01.crl
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
# We need the CA certificate for every supported CRL
|
|
Patrick Monnerat |
94d50ff |
# ca_url = file:///etc/ocspd/certs/1st_cacert.pem
|
|
Patrick Monnerat |
94d50ff |
ca_url = file:///etc/ocspd/certs/cacert.pem
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
+# Server Certificate to attach to the response
|
|
Patrick Monnerat |
94d50ff |
+server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
|
|
Patrick Monnerat |
94d50ff |
+
|
|
Patrick Monnerat |
94d50ff |
####################################################################
|
|
Patrick Monnerat |
94d50ff |
[ second_ca ]
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
@@ -179,6 +228,9 @@ crl_url = file:///etc/ocspd/crls/crl_01.
|
|
Patrick Monnerat |
94d50ff |
# We need the CA certificate for every supported CRL
|
|
Patrick Monnerat |
94d50ff |
ca_url = file:///etc/ocspd/certs/2nd_cacert.pem
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
+# Server Certificate to attach to the response
|
|
Patrick Monnerat |
94d50ff |
+server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
|
|
Patrick Monnerat |
94d50ff |
+
|
|
Patrick Monnerat |
94d50ff |
####################################################################
|
|
Patrick Monnerat |
94d50ff |
[ HSM ]
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
@@ -207,9 +259,10 @@ engine_id = LunaCA3
|
|
Patrick Monnerat |
94d50ff |
# high application id 10, low app id 11 and password "myPassword"
|
|
Patrick Monnerat |
94d50ff |
1.engine_pre = login:1:10:11:myPassword
|
|
Patrick Monnerat |
94d50ff |
|
|
Patrick Monnerat |
94d50ff |
-# Some HSMs need to perform commands before the application can exit
|
|
Patrick Monnerat |
94d50ff |
-# it is therefore available the 'engine_post' option. Usage and format
|
|
Patrick Monnerat |
94d50ff |
+# Some HSMs need to perform commands after the ENGINE initialisation
|
|
Patrick Monnerat |
94d50ff |
+# which are taken from the 'engine_post' option. Usage and format
|
|
Patrick Monnerat |
94d50ff |
# is exactly the same as 'engine_pre', the difference is that commands
|
|
Patrick Monnerat |
94d50ff |
-# are sent to the HSM just before server shutdown.
|
|
Patrick Monnerat |
94d50ff |
+# are sent to the HSM after the ENGINE_init() function. Refer to your
|
|
Patrick Monnerat |
94d50ff |
+# HSM documentation for more informations
|
|
Patrick Monnerat |
94d50ff |
# 0.engine_post = logout:1:10:11
|
|
Patrick Monnerat |
94d50ff |
|