[openssl-users] OpenSSL responder as a CGI

Dan Mahoney, System Admin danm at prime.gushi.org
Fri Jun 17 06:38:00 UTC 2016

Hey there all,

I'm using SSL as part of puppet, which has its own sort of CA.

Puppet has no idea about OCSP, but on the master, it 
leaves most of its configuration to the apache backend.  Since apache 
won't re-read a CRL unless restarted, OCSP seemed like a good answer to 

Puppet's CA doesn't generate a standard index.txt.  What it *does* do is 
generate a standard CRL (which I suppose I can parse with the openssl crl 
command) as well as an inventory file that contains cert start and end 
dates, as well as serials and subjects.

I *think* this is enough information to effectively regenerate the 
OCSP index file, and thus answer CRL requests.

Rather than letting the openssl code manage sockets and tcp ports, I 
figured I'd write some basic perl code as glue, and let apache run an OCSP 
responder in a vhost, which would simply generate a signed response.  The 
CGI would basically be a wrapper, as well as a tool to regenerate an 
index.txt if either the inventory or the CRL had changed.

This way, threading and the like aren't issues, and error-handling is more 
easily catchable.

Does any of this sound like a particularly awful idea?



--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org

More information about the openssl-users mailing list