Ocsp¶
Basics¶
Logical Location¶
- IP Internet:
Critical Configuration items¶
Keys and X.509 certificates¶
Certificate for CN ocsp.cacert.org, see details in the certificate list
certificate in file /etc/lighttpd/ssl/ocsp.cacert.org.crt
private key in file /etc/lighttpd/ssl/ocsp.cacert.org.key
Certificate for CN ocsp.cacert.org class1 (issued with X509v3 Extended Key Usage: OCSP Signing), see details in the certificate list
certificate in file /usr/local/etc/ocspd/certs/class1.crt
private key in file /usr/local/etc/ocspd/private/class1.key
Certificate for CN ocsp.cacert.org class3 (issued with X509v3 Extended Key Usage: OCSP Signing), see details in the certificate list
certificate in file /usr/local/etc/ocspd/certs/class3.crt
private key in file /usr/local/etc/ocspd/private/class1.key
Note: generating a CSR with OCSP Signing flag set can be done with an openssl config file like this:
[ req ]
distinguished_name = req_distinguished_name
prompt = no
req_extensions = ocsp_req
[ req_distinguished_name ]
countryName = AU
stateOrProvinceName = NSW
localityName = Sydney
0.organizationName = CAcert Inc.
organizationalUnitName = Server Administration
commonName = ocsp.cacert.org
emailAddress = critical-admin@cacert.org
[ ocsp_req ]
basicConstraints=CA:FALSE
extendedKeyUsage=1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.9
To sign such a CSR while retaining the OCSP Signing flag in the generated certificate, there is some dark magic involved: you have to have the admin flag set and check a box deep down on the second page of the new cert process.