blog

OCSPレスポンダ

Published:

By nob

Category: Posts

Tags: OCSP OpenSSL systemd

前提

software version
OpenSSL 3.0.10.1

手順

systemdのユニットファイルを作成する 

# vim /etc/systemd/system/ocsp-root.service

[Unit]
Description = Root CA OCSP Responder

[Service]
EnvironmentFile = /etc/default/ocsp-root
ExecStart = openssl ocsp -ignore_err -port ${PORT} -index ${INDEX_FILE} -rsigner ${RESPONSE_SIGNER} -rkey ${RESPONSE_SIGNER_KEY} -rmd ${RESPONSE_SIGNER_DIGEST} -CA ${CA} -text -out ${LOG_FILE} -passin ${RESPONSE_SIGNER_KEY_PASS}
ExecStop = /bin/kill -HUP $MAINPID

[Install]
WantedBy = multi-user.target

# vim: filetype=systemd

# vim /etc/default/ocsp-root

PORT=3000
LOG_FILE="/var/log/ocsp-root.log"
INDEX_FILE="/etc/ssl/root/index.txt"
RESPONSE_SIGNER="/etc/ssl/root/certs/root.crt"
RESPONSE_SIGNER_KEY="/etc/ssl/root/private/root.key"
RESPONSE_SIGNER_KEY_PASS="file:/etc/ssl/root/private/root.pass"
RESPONSE_SIGNER_DIGEST="sha256"
CA="/etc/ssl/root/certs/root.crt"
# vim: filetype=conf

ユニットを有効化する 

# systemctl daemon-reload
# systemctl enable ocsp-root