OpenSSL responder as a CGI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey there all,

I'm using SSL as part of puppet, which has its own sort of CA.

Puppet has no idea about OCSP, but on the master, it 
leaves most of its configuration to the apache backend.  Since apache 
won't re-read a CRL unless restarted, OCSP seemed like a good answer to 
this.

Puppet's CA doesn't generate a standard index.txt.  What it *does* do is 
generate a standard CRL (which I suppose I can parse with the openssl crl 
command) as well as an inventory file that contains cert start and end 
dates, as well as serials and subjects.

I *think* this is enough information to effectively regenerate the 
OCSP index file, and thus answer CRL requests.

Rather than letting the openssl code manage sockets and tcp ports, I 
figured I'd write some basic perl code as glue, and let apache run an OCSP 
responder in a vhost, which would simply generate a signed response.  The 
CGI would basically be a wrapper, as well as a tool to regenerate an 
index.txt if either the inventory or the CRL had changed.

This way, threading and the like aren't issues, and error-handling is more 
easily catchable.

Does any of this sound like a particularly awful idea?

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux