Skip to content
/ aws-ocsp Public

A fully-serverless x.509 OCSP responder using AWS Lambda, AWS S3, and AWS DynamoDB.

License

MIT license
7 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

heri16/aws-ocsp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

config

config

 
 

ocsp

ocsp

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

Pipfile

Pipfile

 
 

Pipfile.lock

Pipfile.lock

 
 

README.md

README.md

 
 

bucket.py

bucket.py

 
 

handler.py

handler.py

 
 

log_cfg.py

log_cfg.py

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

serverless.yml

serverless.yml

 
 

Repository files navigation

aws-ocsp

A fully-serverless x.509 OCSP responder using AWS Lambda, AWS S3, and AWS DynamoDB.

Usage

Install serverless framework

npm install -g serverless

Download this project and required plugins

serverless install --url https://github.com/heri16/aws-ocsp --name ocsp
cd ocsp
npm install --only=dev

Edit custom section of serverless.yml

nano ./serverless.yml
custom:
  customDomain:
    domainName: pki.lmu.co.id
  s3_bucket: lmu-pki
  s3_key_base: certs/

Request a free ACM Certificate for your custom domainName (if not yet created)

http://docs.aws.amazon.com/acm/latest/userguide/gs.html

Create the bucket on Amazon S3 (if not yet created)

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html

Add relevant files to config folder (Adjust environment vars accordingly)

ls ./config
functions:
  respond:
    environment:
      # OCSP_COUNT should denote the total number of OCSP responders (in-case of serving intermediate-CAs)
      OCSP_COUNT: '2'
      # PFX files should contain ocsp signer's privKey (and all related certificates in the chain)
      OCSP_PFX_1: 'config/ocsp1.pfx'
      OCSP_PFX_PASS_1: 'pass_for_ocsp1'
      # 2nd OCSP Responder/Signer
      OCSP_PFX_2: 'config/ocsp2.pfx'
      OCSP_PFX_PASS_2: 'pass_for_ocsp2'
  bucket:
    environment:
      # One or many Root certificates in PEM-format to validate the certificates before being registered into OCSP
      TRUST_ROOTS: 'config/root_bundle.pem'

Deploy project to AWS

serverless create_domain
pipenv run serverless deploy --stage=prod
serverless s3deploy

Check aws credentials if you have trouble deploying

nano ~/.aws/credentials

aws iam attach-user-policy --user-name <your_username> --policy-arn arn:aws:iam::aws:policy/AWSLambdaFullAccess
aws iam attach-user-policy --user-name <your_username> --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccesswithDataPipeline
aws iam attach-user-policy --user-name <your_username> --policy-arn arn:aws:iam::aws:policy/SystemAdministrator
aws iam attach-user-policy --user-name <your_username> --policy-arn arn:aws:iam::aws:policy/IAMFullAccess

About

A fully-serverless x.509 OCSP responder using AWS Lambda, AWS S3, and AWS DynamoDB.

Resources

Readme

License

MIT license
Activity

Stars

7 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages