Simple OCSP Server ??

Home » CentOS » Simple OCSP Server ??
CentOS 5 Comments

Hello list,

I’m contemplating running my own CA to implement the new proposed ISP
for validation of S/MIME certificates via DANE.

I already use self-signed for my MX servers (with 3 1 1 dane records on TCP port 25) but I don’t want to use self-signed for S/MIME for user specific x.509 certs because

A) That’s potentially a lot of DNS records B) That requires a hash of the e-mail addresses in DNS

Instead, I will be using a wildcard in DNS with an intermediary that signs the user x.509 certificates.

Using an intermediary to sign their certificates though means I can’t just revoke their certificates by removing the DNS certificate, I’ll need to provide an OCSP server for when one of their private keys gets compromised.

I found https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html but it looks like that is intended for enterprise, more complex than I need.

Anyone know of a good simple script for providing OCSP ??

-=-

Not relevant to question but just important for me to note, I will *not*
be asking people to install my root certificate in their e-mail clients. I think it is a bad practice to get users in the habit of installing root certificates.

I think the PKI system has way way way to many root certificates as it is. I want a world where DANE validates most certificates, and only a few root certificates are needed for things like banks where EV
certificates are a must.

DANE as a way to validate S/MIME I think will be a godsend to e-mail security, I hope clients implement it.

5 thoughts on - Simple OCSP Server ??

  • Oh I don’t know, their github works.

    However it seems that it isn’t able to deal with more than one ocsp signing key.

  • Alice,

    Have you found an OCSP responder?

    I am writing an Internet Draft for using openssl to set up a simple ECDSA pki:

    https://datatracker.ietf.org/doc/draft-moskowitz-ecdsa-pki/

    It is PAST time that the default for certs is RSA, and rather move on to ECDSA. EdDSA is almost ready to ship! (Dan Bernstein’s ECC rather than NIST/NSA, plus they ARE better curves)

    Version 01 is in the works that adds CRL (done) and OCSP (almost done).
    I should have this version posted by middle of next week.

    Right now I use self-signed certs for all my servers, but I plan on creating my own small PKI and running my own OCSP responder. I also would like to find something ‘simple’.

    ECDSA will have better response for DANE. EdDSA will be even better!
    But it will take the NEXT version of openssl to provide support.

    Bob