reaperhulk
commented
8 years ago An OCSP signing certificate is a cert cut off the authority that you want to sign for. It needs an extendedKeyUsage of OCSPSigning and typically also has the OCSPNoCheck extension.
If you want to share revocation/issuance information with multiple r509-ocsp-responder instances you are correct that you'll need to either use a shared redis instance or else write some code to publish the information to each redis. At my old job we built a pub/sub where each responder would subscribe to issuance/revocation events so there was a local copy of all the data.
Take a look at how you're writing that information right now (probably with https://github.com/r509/r509-validity-redis ?) and adapt it to your needs.
tisrnd
Hi! I am trying to build CA stack.
Previously I've been following your tutorial "Building a CA (r509 Howto)" and succeeded at getting up r509-ca-http + r509-ocsp-responder on a same server. Everything worked fine, OCSP was returning VALID and REVOKED for my certificates. For r509-ocsp-responder I've used this config:
But right now I want to split up r509-http and ocsp. After setting up those on different servers I've started to receiving UNKNOWN and realized that both those instances using their local Redis database and don't share data between each other. So ocsp doesn't know that cert has been revoked or unrevoked.
In your tutorial I've seen that you've mentioned "OCSP signing delegates"
I've tried to look up any info about it, googled within your site and but haven't found anything.
Config for r509-ocsp-responder in dedicated server I tried to use:
Key's for OCSP I've generated this way (probably I did mistake here):
Maybe I need to find a way to share redis instance for both servers? Can you help me with these and give some advises on what am I missing? Because I think that I might be going wrong direction trying to get this done.