Ocsp

Basics

Logical Location

IP Internet:

213.154.225.237

Critical Configuration items

Keys and X.509 certificates

  • Certificate for CN ocsp.cacert.org, see details in the certificate list

    • certificate in file /etc/lighttpd/ssl/ocsp.cacert.org.crt

    • private key in file /etc/lighttpd/ssl/ocsp.cacert.org.key

  • Certificate for CN ocsp.cacert.org class1 (issued with X509v3 Extended Key Usage: OCSP Signing), see details in the certificate list

    • certificate in file /usr/local/etc/ocspd/certs/class1.crt

    • private key in file /usr/local/etc/ocspd/private/class1.key

  • Certificate for CN ocsp.cacert.org class3 (issued with X509v3 Extended Key Usage: OCSP Signing), see details in the certificate list

    • certificate in file /usr/local/etc/ocspd/certs/class3.crt

    • private key in file /usr/local/etc/ocspd/private/class1.key

Note: generating a CSR with OCSP Signing flag set can be done with an openssl config file like this:

[ req ]
distinguished_name      = req_distinguished_name
prompt                  = no
req_extensions          = ocsp_req

[ req_distinguished_name ]
countryName             = AU
stateOrProvinceName     = NSW
localityName            = Sydney
0.organizationName      = CAcert Inc.
organizationalUnitName  = Server Administration
commonName              = ocsp.cacert.org
emailAddress            = critical-admin@cacert.org

[ ocsp_req ]
basicConstraints=CA:FALSE
extendedKeyUsage=1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.9

To sign such a CSR while retaining the OCSP Signing flag in the generated certificate, there is some dark magic involved: you have to have the admin flag set and check a box deep down on the second page of the new cert process.