OpenCA OCSPD Container - OCSPD can handle both POST and GET requests
Relies on the contents of repos openca/libpki and openca/openca-ocspd
Note: This is a breaking change from previous iterations where a volume could be mounted to /data/ocspd in the container. The original version of this image is still available using the tag mattbodholdt/openca-ocspd:v1 - (4/2019)
- ca.crt - CA Chain - /usr/local/ocspd/etc/ocspd/certs/ca.crt
- ocspd.crt - OCSP Signing Cert - /usr/local/ocspd/etc/ocspd/certs/ocspd.crt
- ocspd.key - Key for OCSP Signing Cert - /usr/local/ocspd/etc/ocspd/private/ocspd.key
- crl.crl - Intermediate CA CRL - /usr/local/ocspd/etc/ocspd/crls/crl.crl
Mounting volumes to the container as demonstrated in the following example using standalone Docker:
docker run -dt --name ocspd_container -p 2560:2560 -v /var/containerdata/ocspd_ecdsa/ca.crt:/usr/local/ocspd/etc/ocspd/certs/ca.crt -v /var/containerdata/ocspd_ecdsa/ocspd.crt:/usr/local/ocspd/etc/ocspd/certs/ocspd.crt -v /var/containerdata/ocspd_ecdsa/ocspd.key:/usr/local/ocspd/etc/ocspd/private/ocspd.key -v /var/containerdata/ocspd_ecdsa/crl.crl:/usr/local/ocspd/etc/ocspd/crls/crl.crl mattbodholdt/openca-ocspd:v2
To get to bash in the container:
docker exec -it ocspd_container /bin/bash
Another option is to use Kubernetes, save these items as secrets, and mount those secrets. An example of how to do this on a kubeadm created, bare-metal, cluster with nginx ingress is provided in the kubernetes directory. In the example manifests, the Kubernetes namespace is "pki".
Create namespace:
kubectl create namespace pki
Create OCSP Signing and CA Secret and CRL Secret from files:
kubectl create secret generic ocsp-certs --from-file ocspd.crt --from-file=ca.crt --from-file ocspd.key --namespace pki
kubectl create secret generic crl --from-file=crl.crl --namespace pki
Modify the host rule in ingress.yml to reflect your desired host name:
spec:
rules:
- host: your.ocsp.hostname.org
Create deployment:
kubectl apply -f deployment.yml
Create service:
kubectl apply -f service.yml
Create ingress resource:
kubectl apply -f ingress.yml
List Pods:
kubectl get pods -n pki
Show Deployment:
kubectl get deployment ecdsa-ocspd -n pki -o wide
Another option would be to use the Docker Hub image of this project as a source to build your own image which contains your files and host it on a private Docker registry. A dockerfile to do that would look something like this with the four files in the directory alongside the Dockerfile:
FROM mattbodholdt/openca-ocspd:v2
COPY crl.crl /usr/local/ocspd/etc/ocspd/crls/crl.crl
COPY ca.crt /usr/local/ocspd/etc/ocspd/certs/ca.crt
COPY ocspd.crt /usr/local/ocspd/etc/ocspd/certs/ocspd.crt
COPY ocspd.key /usr/local/ocspd/etc/ocspd/private/ocspd.key
ENTRYPOINT [ "/usr/local/ocspd/sbin/ocspd", "-stdout", "-c", "/usr/local/ocspd/etc/ocspd/ocspd.xml" ]
If you use this method where all the files are in the image, you could also use the test_ocspd.sh script as part of a build process as demonstrated in gitlab-ci-example.yml. If you don't bake the files into the image, skip the test step as it will fail.
If you choose to use the test script at any point, you'll want to modify it so you're testing with a cert of your own.
To generate test POST and GET requests:
- Use openssl to generate the post request and write request out.
hostname="your.ocsp.hostname.org"
port="80"
openssl ocsp -no_nonce -reqout /root/ca_ecdsa/test/ocsptest.req -CAfile /root/ca_ecdsa/intermediate/certs/ecdsa_ca_chain.pem -issuer /root/ca_ecdsa/intermediate/certs/int.ca.crt.pem -cert /root/ca_ecdsa/intermediate/certs/ocsp_test_cert.pem -url "http://${hostname}:${port}" -header "HOST" "${hostname}" -text
- Get the url-encoding of the base64 encoding of the DER encoding of the OCSPRequest (to form the URI of the GET request), use b64url.py.
curl -s https://raw.githubusercontent.com/mattbodholdt/openca-ocspd/master/b64url.py > b64url.py
chmod +x b64url.py
python b64url.py /root/ca_ecdsa/test/ocsptest.req
- The output of b64url.py is the URI of the GET request and can be tested with curl and parsed with openssl
curl --silent -X GET http://your.ocsp.hostname.org:80/MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSU91ppgoiy3Huh6hMq%2BUZant%2BVmQQUWW0MZSCgXy8pidQyWYcLAW%2BCHmACAhAB > /tmp/res.ocsp
openssl ocsp -respin /tmp/res.ocsp -text -noverify
- The output of b64url.py is the URI of the GET request and can be tested with a graphical tool like Postman.
Once you've generated a URI, modify the URI in test_ocspd.sh and you can repeat the test by running the script.