view · edit · print · history

The Online Certificate Status Protocol is used to provide the status of X.509 certificates in lieu of a CRL. OCSPD is a daemon that serves a CRL file using OCSP. This is handy if you are running your own CA.

Here's how to build it on a SLUG - I don't have time to make an IPKG for it at the moment, but it should be straighforward from this recipe.

This assumes that you have the native tools installed.

 export PATH=$PATH:/opt/bin:/share/hdd/data/tools/bin
 export LD_LIBRARY_PATH=/lib:/opt/lib:/usr/lib:/usr/local/lib:/opt/armeb/armv5b-softfloat-linux/lib
 export LDFLAGS=-L/usr/local/lib
 export C_INCLUDE_PATH=/usr/include:/usr/local/include:/opt/armeb/include:/opt/armeb/armv5b-softfloat-linux/include:/opt/armeb/armv5b-softfloat-linux/sys-include
  • Run configure with the following options:
 ./configure --prefix=/opt --with-openssl-prefix=/opt --with-ocspd-user=ocspd --with-ocspd-group=ocspd --with-openldap-prefix=/opt
  • Make requires a small tweak to get ocspd to link:
 make LIBS="-lresolv -lnsl -lsasl2 -rpath /opt/lib"
  • Install
 make install
  • Change the startup file
cd /opt/etc/init.d
 mv ocspd S43ocspd
--- oscpd       2009-07-11 09:36:01.000000000 -0400
+++ S43ocspd    2009-07-11 09:53:20.000000000 -0400
@@ -57,7 +57,7 @@
                echo "stopped."
                pid=`cat $pidfile`;
-               if test `ps -p ${pid}` ; then
+               if ps -p ${pid} >/dev/null ; then
                        echo "running ( $pid ) ... "
                        echo "stopped."

ln -s S43ocspd K80ocspd
  • Edit your /opt/etc/ocspd.conf file see man ocspd.conf for details. Suggestion: Set threads_num to something more reasonable, like 25. Also, create the ocspd user and group -- you can do this with the GUI so that they persist.
  • Edit /opt/etc/init.d/S43ocspd to reflect the location of your pidfile (suggest /opt/var/run/ocspd.pid)
  /opt/etc/init.d/S43ocspd start

And you should be off.

By default, ocspd will listen on port 2560. If you also want to listen on port 80 & you have a webserver handy, do something like this (apache):

    # Allow OCSP content for POST (If you have mod_security)
    SecRuleRemoveById 960010

    # Proxy OCSP requests to the OCSP server
    #  -- Any POST with OCSP content
    #  -- /ocsp (for GET)

    ReWriteCond %{HTTP:Content-Type} ^application/ocsp-request$ [OR]
    ReWriteCond %{REQUEST_URI} ^/ocsp
        RewriteRule ^/(.*) http://ocsp.litts.net:2560/$1 [P]

If you have difficultiy, start-verbose will log more information in /var/log/messages


view · edit · print · history · Last edited by tlhackque.
Originally by tlhackque.
Page last modified on July 15, 2009, at 01:19 PM