A fully-serverless x.509 OCSP responder using AWS Lambda, AWS S3, and AWS DynamoDB.
npm install -g serverless
serverless install --url https://github.com/heri16/aws-ocsp --name ocsp
cd ocsp
npm install --only=dev
nano ./serverless.yml
custom:
customDomain:
domainName: pki.lmu.co.id
s3_bucket: lmu-pki
s3_key_base: certs/
http://docs.aws.amazon.com/acm/latest/userguide/gs.html
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html
ls ./config
functions:
respond:
environment:
# OCSP_COUNT should denote the total number of OCSP responders (in-case of serving intermediate-CAs)
OCSP_COUNT: '2'
# PFX files should contain ocsp signer's privKey (and all related certificates in the chain)
OCSP_PFX_1: 'config/ocsp1.pfx'
OCSP_PFX_PASS_1: 'pass_for_ocsp1'
# 2nd OCSP Responder/Signer
OCSP_PFX_2: 'config/ocsp2.pfx'
OCSP_PFX_PASS_2: 'pass_for_ocsp2'
bucket:
environment:
# One or many Root certificates in PEM-format to validate the certificates before being registered into OCSP
TRUST_ROOTS: 'config/root_bundle.pem'
serverless create_domain
pipenv run serverless deploy --stage=prod
serverless s3deploy
nano ~/.aws/credentials
aws iam attach-user-policy --user-name <your_username> --policy-arn arn:aws:iam::aws:policy/AWSLambdaFullAccess
aws iam attach-user-policy --user-name <your_username> --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccesswithDataPipeline
aws iam attach-user-policy --user-name <your_username> --policy-arn arn:aws:iam::aws:policy/SystemAdministrator
aws iam attach-user-policy --user-name <your_username> --policy-arn arn:aws:iam::aws:policy/IAMFullAccess