electrical
commented
5 years ago ocspdump will allow you to dump the revoked certs into a file which can be read by ocspserve. This is when you don't use it with a database backend on the ocspserve side.
ocsprefresh takes the revoked status from the certificates table in the database and puts the required info in the ocspresponse table.
ocspsign i'm not 100% sure about.
the gencrl is separate of the ocsp part yeah. the CRL ( Certificate Revocation List ) is sort of the 'old' way of managing revoked certs.
I'm still working with this as well so I may have more info/details the further I get with this.
Hi,
I have tried to understand the data flow and how to actually implement OCSP and CRL with cfssl.
there are at least 4 commands related to OCSP ocsprefresh ocspsign ocspdump ocspserve
ocspserve is easy, that will run in the end, after valid ocsp data has been generated.
What is the flow for the other components? This is what I think should happen ocsprefresh and pcspsign runs every X minute in some kind cron or some other trigger ocspdump are used to export data to be used with ocspserve
Are there any design documents available? High level flows or anything?
One other question related to this is related to gencrl, it requires a input file with one serial numer per line.
Is gencrl totally unrelated to the revoke database entries that ocsp and revoke are using?