Ocspd.conf
Aus HC Services
# OCSPd example configuration file. # (c) 2001 by Massimiliano Pala - OpenCA Project. # All rights reserved [ ocspd ] default_ocspd = OCSPD_default # The default ocspd section #################################################################### [ OCSPD_default ] dir = /export/ocspd/etc/ocspd # Where everything is kept db = $dir/index.txt # database index file. md = sha1 ca_certificate = $dir/certs/cacert.pem # The CA certificate ocspd_certificate = $dir/certs/ocspd.pem # The OCSP server cert ocspd_key = $dir/private/ocspd.key # The OCSP server key pidfile = $dir/ocspd.pid # Main process pid # User and Group the server will run as. It is a good idea # not having servers running as root: in case of errors in # the code providing an 'illegal' access method for an attacker # it is better not to give him additional advantages. user = ocspd group = daemon # Bind to a specific address. This option is useful if you need # to listen only on one IP among the availables ones. bind = * # Port where the server will listen for incoming requests. port = 8000 # Max size of accepted requests. Data connection will be closed # in case this size will be reached. max_req_size = 8192 max_childs_num = 20 # Auto Reload interval of CRL (if set to 0 or not present, to # reload the CRL you'll need to send a SIGHUP (kill -1 <pid>) # to the parent process (seconds) crl_auto_reload = 3600 # Check CRL validity period. If this parameter is set to #n # then the CRL is checked every #n secs and if the CRL's validity # period is expired then all the responses will be set to # 'unknown'. # If 'crl_check_validity' is set to '0' or it is absent, all # responses will be based on the loaded CRL, no matter if it # is expired or not. crl_check_validity = 600 # Reload CRL if the one loaded is expired. Set this parameter # only if you are sure that the new CRL will be issued and put # in the crl_url. crl_reload_expired = yes # Specifies the response section to load the server options # from response = ocsp_response # It specifies the section to be used where options about where # CRL and certificates are kept. # # Example section using LDAP for data retrival dbms = dbms_ldap # # Example section using FILES for data retrival #dbms = dbms_file # Enables the ENGINE interface for the server. If set to off then # no support for ENGINE is loaded. If set to anything but 'off' the # value must correspond to a section in this configuration file. # Currently only LunaCA3, LunaSA are directly supported. If you need # support for other HSM write to the authors. # # IMPORTANT NOTE: in case of usage with engine support enabled, put # the private key ID - look at the HSM documentation - into the # 'ocspd_key' field above in this file engine = HSM #################################################################### [ ocsp_response ] dir = /export/ocspd//etc/ocspd # It is possible to include additional certificates in given # responses. Put all the certificates you want to include in # the file pointed by 'ocsp_add_responses_certs', concatenated # one after the other. # # Comment this option if you don't want to add certificates # to responses. ocsp_add_response_certs = $dir/certs/chain_certs.pem # Set this option if you want to include the KeyID. If you are # unsure about this setting, use 'yes'. ocsp_add_response_keyid = yes # next_update_days and next_update_mins allows to specify in # each response when new revocation data will be available. # If the two options are both set to '0' the 'nextUpdate' field # in the OCSP response will be left NULL indicating new data # can be made available anytime (this is true if you are issuing # new CRLs every time a revocation takes place) # # NOTE: Firefox/Mozilla do not parse correctly the OCSP answer in # case the nextUpdate field is missing. It is therefore suggested # to use the next_update_mins set (e.g. 5 minutes) to have mozilla's # software correclty work with OCSP enabled. next_update_days = 0 next_update_mins = 5 #################################################################### [ dbms_ldap ] 0.ca = @ldap_ca_1 [ ldap_ca_1 ] # You can have the CRL on a simple file # crl_url = file:///usr/local/etc/ocspd/crl.pem # You can have the CRL retrieved from an HTTP server # crl_url = http://[user[:pwd]@]server[:port]/path_to_crl # You can store the CRL into an LDAP server, simply # store it in certificateRevocationList;binary attribute # # There are different way, all legal, to specify the CRL # URL address: # crl_url = ldap://[user[:pwd]@]ldap.server.org[:389] # crl_url = ldap://ldap.server.org:389 crl_url = ldap://localhost # The CRL entry DN is the DN to look for when retrieving the # date from the LDAP server. Put here the complete DN (usually # the DN of the CA's certificate). # # This option is needed only if the CRL is stored on LDAP crl_entry_dn = "email=trustcenter@matrix-tech.de, cn=matrix AG Root CA, ou=Trustcenter, o=matrix technology AG, c=DE" # To retrieve the CRL from LDAP the attribute where it is stored is to # be specified. Usually this should be set to: # # certificateRevocationList;binary # # anyway existing LDAP installations or new standards can mandate # for different attributes for storing CRLs into. Use this parameter # to specify the attribute used to retrieve the CRL from. # # This option is needed only if the CRL is stored on LDAP crl_entry_attribute = "certificateRevocationList;binary" # We need the CA certificate for every CA we support. Upon loading # the CRL and the CA certificate a simple check is made to ensure # the CRL/CA certificate matching. Also the CA certificate is used # to retrieve the CID used to identify the certificate being # requested by the client (CID of the Issuer + serial Number). # # DN where the cACertificate;binary value can be downloaded # This option is needed only if the CA Certificate is stored on LDAP ca_url = ldap://localhost ca_entry_dn = "email=trustcenter@matrix-tech.de, cn=matrix AG Root CA, ou=Trustcenter, o=matrix technology AG, c=DE" ca_entry_attribute = "cACertificate;binary" #################################################################### [ dbms_file ] # We can have as many CAs supported as we want, each CRL will be # loaded and stored upon server starting 0.ca = @first_ca #1.ca = @second_ca #################################################################### [ first_ca ] # You can have the CRL on a simple file in PEM format crl_url = file:///export/openca-pub/openca/var/crypto/crls/cacrl.pem # We need the CA certificate for every supported CRL ca_url = file:////export/ocspd//etc/ocspd/certs/cacert.pem #################################################################### [ second_ca ] # You can have the CRL on a simple file in PEM format crl_url = file:////export/ocspd//etc/ocspd/crls/crl_02.pem # We need the CA certificate for every supported CRL ca_url = file:////export/ocspd//etc/ocspd/certs/2nd_cacert.pem #################################################################### [ HSM ] # Setup parameters for basic lunaCA3/LunaSA crypto hardware. # Specifies the ENGINE id to be used - check OpenSSL and your HSM # vendor to get more info about this parameter. engine_id = LunaCA3 # Some HSM need initialisation before access to the crypto accelerated # functions is granted. It is possible, by using the 'engine_pre' options # to issue needed commands directly to the HSM. # # The format is as follows: # 0.engine_pre = cmd:values # 1.engine_pre = cmd2:values # ... # It is possible to have as many commands as needed. # The following command is for LunaCA3/LunaSA. It forces the vendor's # library to use '/etc/my_conf_file' as configuration file (check the # HSM documentation about this file contents. #0.engine_pre = CONF_PATH:/etc/my_conf_file # The following is for LunaCA3/LunaSA where the command is 'login' and # the value is "1:10:11:myPassword" which indicates to use Slot 1, # high application id 10, low app id 11 and password "myPassword" 0.engine_pre = login:1:10:11:myPassword # Some HSMs need to perform commands after the ENGINE initialisation # which are taken from the 'engine_post' option. Usage and format # is exactly the same as 'engine_pre', the difference is that commands # are sent to the HSM after the ENGINE_init() function. Refer to your # HSM documentation for more informations # 0.engine_post = logout:1:10:11
Zurück zu OpenCA
