Hi there: On 23/03/10 7:39 PM, PGNet Dev wrote: > I'm planning to run openssl ocsp in server mode, > > openssl ocsp \ > -index /svr/demoCA/index.txt \ > -port 8888 \ > -CA /svr/demoCA/certs/CA/CA.cert.pem \ > -rsigner /svr/demoCA/crl/OCSP.cert.pem \ > -rkey /svr/demoCA/crl/OCSP.privkey.pem \ > -text -out /var/log/ocsp.log > > where "OCSP.cert.pem" is a single-purpose cert, only for the OCSP responder. > I hope you realize that there are MANY warnings against doing this for other than test purposes - for one thing, the server will fall over and die if it encounters any sort of error at all (there is an option that you can give it to stop it doing that that I can't recall at the moment, but I still wouldn't trust it for any sort of load at all).
> What's the MINIMAL (Extended)KeyUsage for the cert? > Well, according to the framers of the FBCA Certificate Policy, and the CertiPath certificate policy (which count among them, several of the authors of the OCSP standards), KU for an OCSP server should be: digitalSignature, nonRepudiation with an EKU of: OCSPSigning and the OCSPNoCheck extension present (to avoid looping). Have fun. Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
