[openssl-users] OpenSSL responder as a CGI
Dan Mahoney, System Admin
danm at prime.gushi.org
Fri Jun 17 06:38:00 UTC 2016
Hey there all,
I'm using SSL as part of puppet, which has its own sort of CA.
Puppet has no idea about OCSP, but on the master, it
leaves most of its configuration to the apache backend. Since apache
won't re-read a CRL unless restarted, OCSP seemed like a good answer to
Puppet's CA doesn't generate a standard index.txt. What it *does* do is
generate a standard CRL (which I suppose I can parse with the openssl crl
command) as well as an inventory file that contains cert start and end
dates, as well as serials and subjects.
I *think* this is enough information to effectively regenerate the
OCSP index file, and thus answer CRL requests.
Rather than letting the openssl code manage sockets and tcp ports, I
figured I'd write some basic perl code as glue, and let apache run an OCSP
responder in a vhost, which would simply generate a signed response. The
CGI would basically be a wrapper, as well as a tool to regenerate an
index.txt if either the inventory or the CRL had changed.
This way, threading and the like aren't issues, and error-handling is more
Does any of this sound like a particularly awful idea?
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
More information about the openssl-users