[openssl-users] OpenSSL responder as a CGI
Dan Mahoney, System Admin
danm at prime.gushi.org
Fri Jun 17 06:38:00 UTC 2016
Hey there all,
I'm using SSL as part of puppet, which has its own sort of CA.
Puppet has no idea about OCSP, but on the master, it
leaves most of its configuration to the apache backend. Since apache
won't re-read a CRL unless restarted, OCSP seemed like a good answer to
this.
Puppet's CA doesn't generate a standard index.txt. What it *does* do is
generate a standard CRL (which I suppose I can parse with the openssl crl
command) as well as an inventory file that contains cert start and end
dates, as well as serials and subjects.
I *think* this is enough information to effectively regenerate the
OCSP index file, and thus answer CRL requests.
Rather than letting the openssl code manage sockets and tcp ports, I
figured I'd write some basic perl code as glue, and let apache run an OCSP
responder in a vhost, which would simply generate a signed response. The
CGI would basically be a wrapper, as well as a tool to regenerate an
index.txt if either the inventory or the CRL had changed.
This way, threading and the like aren't issues, and error-handling is more
easily catchable.
Does any of this sound like a particularly awful idea?
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the openssl-users
mailing list