diff --git a/docs/ocspd.3 b/docs/ocspd.3 new file mode 100644 index 0000000..7a86872 --- /dev/null +++ b/docs/ocspd.3 @@ -0,0 +1,221 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ocspd.3 3" +.TH ocspd.3 3 "2018-06-02" "openca-ocspd 3.1.2" "OpenCA Contributed Manual" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +.Vb 1 +\& openca\-ocspd \- OCSP Daemon +.Ve +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenca-ocspd\fR +[\fB\-d\fR] +[\fB\-p n\fR] +[\fB\-b address\fR] +[\fB\-c file\fR] +[\fB\-md digest\fR] +[\fB\-k passwd\fR] +[\fB\-i passin\fR] +[\fB\-e engine\fR] +[\fB\-r chroot_dir\fR] +[\fB\-v\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBopenca-ocspd\fR is an \s-1RFC2560\s0 compliant \s-1OCSPD\s0 responder. It can +be used to verify the status of a certificate using \s-1OCSP\s0 clients +(such as Mozilla/Netscape7). +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-d\fR" 4 +.IX Item "-d" +detach the main process from the calling process. +.IP "\fB\-p n\fR" 4 +.IX Item "-p n" +specifies the port to bind to. Default is 2560. +.IP "\fB\-b address\fR" 4 +.IX Item "-b address" +specifies the \s-1IP\s0 address to bind to. Default behaviour is to listen +to every \s-1IP\s0 available (equal to '*' value). +.IP "\fB\-c file\fR" 4 +.IX Item "-c file" +specifies the configuration file to be loaded. Default file loaded +is \fB/usr/local/etc/ocspd.conf\fR. +.IP "\fB\-md digest\fR" 4 +.IX Item "-md digest" +specifies the digest to be used when generating responses. Default is +sha1. +.IP "\fB\-k passwd\fR" 4 +.IX Item "-k passwd" +specifies the password to be used when loading the private key. +.IP "\fB\-i passin\fR" 4 +.IX Item "-i passin" +the key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +specifying an engine (by it's unique \fBid\fR string) will cause the responder +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-r chroot_dir\fR" 4 +.IX Item "-r chroot_dir" +Chroot the application into the specified directory. +.IP "\fB\-v\fR" 4 +.IX Item "-v" +this prints extra details about the operations being performed. +.SH "NOTES" +.IX Header "NOTES" +.RS 4 +Actually not extensive testing has been carried out, anyway this daemon +is reported to work with Mozilla/Netscape. +.Sp +To reload the certificate's db simply send a \s-1SIGHUP\s0 to the main process +( kill \-s \s-1SIGHUP\s0 pid ). +.RE +.SH "EXAMPLE" +.IX Header "EXAMPLE" +.Vb 1 +\& openca\-ocspd \-c contrib/ocspd.conf +.Ve +.SH "AUTHOR" +.IX Header "AUTHOR" +.RS 4 +Massimiliano Pala +.RE +.SH "SEE ALSO" +.IX Header "SEE ALSO" +.RS 4 +\&\fIopenca\fR\|(3),\fIopenssl\fR\|(1), \fIocsp\fR\|(1) +.RE diff --git a/docs/ocspd.conf.3 b/docs/ocspd.conf.3 new file mode 100644 index 0000000..94c732b --- /dev/null +++ b/docs/ocspd.conf.3 @@ -0,0 +1,465 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ocspd.conf.3 3" +.TH ocspd.conf.3 3 "2018-06-02" "openca-ocspd 3.1.2" "OpenCA Contributed Manual" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +.Vb 1 +\& ocspd.conf \- OCSP Daemon configuration file +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +A configuration file is divided into a number of sections. Each section +starts with a line \fB[ section_name ]\fR and ends when a new section is +started or end of file is reached. A section name can consist of +alphanumeric characters and underscores. +.PP +The first section of a configuration file is special and is referred +to as the \fBdefault\fR section this is usually unnamed and is from the +start of file until the first named section. When a name is being looked up +it is first looked up in a named section (if any) and then the +default section. +.PP +The environment is mapped onto a section called \fB\s-1ENV\s0\fR. +.PP +Comments can be included by preceding them with the \fB#\fR character +.PP +Each section in a configuration file consists of a number of name and +value pairs of the form \fBname=value\fR +.PP +The \fBname\fR string can contain any alphanumeric characters as well as +a few punctuation symbols such as \fB.\fR \fB,\fR \fB;\fR and \fB_\fR. +.PP +The \fBvalue\fR string consists of the string following the \fB=\fR character +until end of line with any leading and trailing white space removed. +.PP +The value string undergoes variable expansion. This can be done by +including the form \fB\f(CB$var\fB\fR or \fB${var}\fR: this will substitute the value +of the named variable in the current section. It is also possible to +substitute a value from another section using the syntax \fB\f(CB$section::name\fB\fR +or \fB${section::name}\fR. By using the form \fB\f(CB$ENV::name\fB\fR environment +variables can be substituted. It is also possible to assign values to +environment variables by using the name \fBENV::name\fR, this will work +if the program looks up environment variables using the \fB\s-1CONF\s0\fR library +instead of calling \fB\f(BIgetenv()\fB\fR directly. +.PP +It is possible to escape certain characters by using any kind of quote +or the \fB\e\fR character. By making the last character of a line a \fB\e\fR +a \fBvalue\fR string can be spread across multiple lines. In addition +the sequences \fB\en\fR, \fB\er\fR, \fB\eb\fR and \fB\et\fR are recognized. +.SH "NOTES" +.IX Header "NOTES" +If a configuration file attempts to expand a variable that doesn't exist +then an error is flagged and the file will not load. This can happen +if an attempt is made to expand an environment variable that doesn't +exist. For example the default OpenSSL master configuration file used +the value of \fB\s-1HOME\s0\fR which may not be defined on non Unix systems. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +Following is a sample configuration file: +.Sp +.Vb 3 +\& # OCSPd example configuration file. +\& # (c) 2001 by Massimiliano Pala \- OpenCA Project. +\& # All rights reserved +\& +\& [ ocspd ] +\& default_ocspd = OCSPD_default +\& +\& +\& [ OCSPD_default ] +\& +\& dir = /usr/local/etc/ocspd +\& db = $dir/index.txt +\& md = sha1 +\& +\& ca_certificate = $dir/certs/cacert.pem +\& ocspd_certificate = $dir/certs/ocspd_cert.pem +\& ocspd_key = $dir/private/ocspd_key.pem +\& pidfile = $dir/ocspd.pid +\& +\& user = ocspd +\& group = daemon +\& bind = * +\& port = 2560 +\& max_childs_num = 5 +\& max_req_size = 8192 +\& +\& request = ocsp_req +\& response = ocsp_response +\& +\& dbms = dbms_ldap # Example using the LDAP for CRL +\& # retrivial +\& +\& #dbms = dbms_file # Example using file for CRL +\& +\& engine = HSM # ENGINE section +\& +\& #################################################################### +\& [ ocsp_req ] +\& default_keyfile = key.pem +\& +\& #################################################################### +\& [ ocsp_response ] +\& dir = /usr/local/etc/ocspd +\& ocsp_add_response_certs = $dir/certs/chain_certs.pem +\& ocsp_add_response_keyid = yes +\& next_update_days = 0 +\& next_update_mins = 5 +\& +\& #################################################################### +\& [ dbms_ldap ] +\& +\& # It is possible to use an URI to identify a CRL and/or the +\& # CA certificate, the general format is: +\& # +\& # [protocol]://[user[:pwd]@]server[:port]/[path] +\& # +\& # where: +\& # protocol \- specifies the protocol to be used, supported are +\& # file, ldap, http +\& # user \- is the user for auth (meaningful only if ldap or +\& # http is used) +\& # pwd \- password used for auth (meaningful only if ldap +\& # or http is used) +\& # port \- port to connect to (meaningful only if ldap or +\& # http is used) +\& # path \- complete path to the object (meaningful only if +\& # http is used) +\& # +\& # You can have the CRLs/CA certificates on a simple file +\& # crl_url = file:///usr/local/etc/ocspd/crl.pem +\& # +\& # You can retrieve the CRLs/CA certificates from a web server +\& # crl_urt = http://server/ca/cacert.der +\& # +\& # You can store the CRL into an LDAP server, simply +\& # store it in certificateRevocationList;binary attribute +\& # +\& # There are different way, all legal, to specify the CRL +\& # URL address: +\& # crl_url = ldap://user:pwd@ldap.server.org:389 +\& # crl_url = ldap://ldap.server.org:389 +\& crl_url = ldap://localhost +\& +\& # The CRL entry DN is the DN to look for when retrieving the +\& # date from the LDAP server. Put here the complete DN (usually +\& # the DN of the CA\*(Aqs certificate). +\& crl_entry_dn = "email=email@address, cn=Certification Auth, \e +\& o=Organization, c=IT" +\& +\& #################################################################### +\& [ dbms_file ] +\& +\& # You can have the CRL on a simple file in PEM format +\& crl_url = file:///usr/local/etc/ocspd/crl.pem +\& +\& [ HSM ] +\& # Hardware accelerators support via the ENGINE interface +\& engine_id = MyAccelerator +\& 0.engine_pre = login:1:10:11:myPassword +\& # 0.engine_post = logout:1:10:11 +.Ve +.PP +Let's analyze the options in detail. +.IP "\fBdefault_ocspd section\fR" 6 +.IX Item "default_ocspd section" +In this section of the configuration file are set the general options +used by the responder, some of which are available using the command +line options too ( see \fIocspd\fR\|(3)). +.IP "\fBdir\fR" 6 +.IX Item "dir" +specifies the directory where everything is kept. +.IP "\fBdb\fR" 6 +.IX Item "db" +specifies the db where info about issued certificates are kept. Right +now the only supported file format is the one from \fB\f(BIopenssl\fB\|(1)\fR. +To reload the certificate's db simply send a \s-1SIGHUP\s0 to the main process +( kill \-s \s-1SIGHUP\s0 pid ). +.IP "\fBmd\fR" 6 +.IX Item "md" +specifies the digest to be used. Default is sha1. +.IP "\fBca_certificate\fR" 6 +.IX Item "ca_certificate" +path to the \s-1CA\s0's certificate. +.IP "\fBocspd_certificate\fR" 6 +.IX Item "ocspd_certificate" +path to the certificate to be used by the responder. +.IP "\fBocspd_key\fR" 6 +.IX Item "ocspd_key" +path to the private key file to be used by the responder. +.IP "\fBpidfile\fR" 6 +.IX Item "pidfile" +path to the pid file where the responder will write its pid when +starting. +.IP "\fBuser\fR" 6 +.IX Item "user" +user id the responder will try to run as, this must be a valid \s-1UID.\s0 +If not specified the responder will run as the user who started the +daemon. +.IP "\fBgroup\fR" 6 +.IX Item "group" +group id the responder will try to run as, this must be a valid \s-1GID.\s0 +If not specified the responder will run as the user who started the +daemon. +.IP "\fBbind\fR" 6 +.IX Item "bind" +address to listen to. You can force the responder to listen to just +one of the available addresses. If you want the responder to listen +to every available interface, simply use '*' (default). +.IP "\fBport\fR" 6 +.IX Item "port" +specifies the port to listen to. +.IP "\fBthreads_num\fR" 6 +.IX Item "threads_num" +Number of threads that shall be created at startup time, the +more threads, the better for handling very high traffic. We +expect to have better performances on multi-threaded machines +and processors. +.Sp +From version 1.5+ the server is not pre-forked, instead it is +a pre-threaded one. In order to run the server needs support +for \s-1POSIX1\s0.c as found in most modern UNiX systems. +.IP "\fBchroot_dir\fR" 6 +.IX Item "chroot_dir" +Chroot the application into the specified directory, watch +out because if you chroot the application, all the paths +should be relative to the new root for \s-1CRL\s0 reloading or +(better solution) you have to download the CRLs from \s-1HTTP\s0 or +\&\s-1LDAP.\s0 If you chroot and you do not provide support for +privileges dropping, privileges will not be dropped and an +error will be written in the logfile, but the server will +continue to run assuming the \fIchroot()\fR is sufficiently isolated +to prevent abuse of the machine. +.IP "\fBmax_req_size\fR" 6 +.IX Item "max_req_size" +maximum size of received request, if a received request is bigger it +will be trashed. Usually simple requests are 200/300 bytes long (more +or less). +.IP "\fBrequest section\fR" 6 +.IX Item "request section" +Currently not used +.IP "\fBresponse section\fR" 6 +.IX Item "response section" +Here are kept options tied to responses' building. +.IP "\fBdbms section\fR" 6 +.IX Item "dbms section" +Here are kept options tied to the revoked certificates' list. +.RS 6 +.IP "\fBocsp_add_response_certs\fR" 4 +.IX Item "ocsp_add_response_certs" +specifies path to a file containing certificates to be added to the +response (usually the whole certification chain). Certificates have to +be in \s-1PEM\s0 format one after another (a simple cat of the certificates +will do fine). +.IP "\fBocsp_add_response_keyid\fR" 4 +.IX Item "ocsp_add_response_keyid" +specifies if adding of the key id to the response. +.IP "\fBnext_update_days\fR" 4 +.IX Item "next_update_days" +specifies the number of days till next update is available. A +response will be valid in the period following the request till +the days+mins. +.IP "\fBnext_update_mins\fR" 4 +.IX Item "next_update_mins" +specifies the number of minutes till next update is available. A +response will be valid in the period following the request till +the days+mins. +.IP "\fBca_url\fR" 4 +.IX Item "ca_url" +specifies the \s-1URI\s0 where the \s-1CA\s0 certificate (which identifies the +single \s-1CA\s0) is located. Three different protocols are implemented +( file:// http:// or ldap:// ). If file is chosen, then the parameter +should carry the path to the \s-1CA\s0 file (i.e. file:///usr/local/etc/ca.pem). +If ldap or http is chosen, you can specify the address, and the port +of the server where to connect to (i.e. ldap://server.addr:port). +.IP "\fBcrl_url\fR" 4 +.IX Item "crl_url" +specifies the \s-1URI\s0 where the \s-1CRL\s0 (list of revoked certificates, +actually used for building responses) is located. Three different +protocols are actually implemented ( file:// http:// or ldap:// ). +If file is chosen, then the parameter should have the path to the +crl file (i.e. file:///usr/local/etc/cacrl.pem). If ldap or http +is chosen, you can specify the address, and the port of the +server where to connect to (i.e. ldap://server.addr:port). +.IP "\fBcrl_entry_dn\fR" 4 +.IX Item "crl_entry_dn" +specifies, if ldap:// protocol is chosen within the \fBcrl_url\fR +parameter, the entry where to look for the certificateRevocationList +attribute where the \s-1CRL\s0 should be present (usually this is also +the base of the \s-1LDAP\s0 tree, but different installations are also +possible). +.RE +.RS 6 +.RE +.IP "\fB\s-1ENGINE\s0 section\fR" 6 +.IX Item "ENGINE section" +.RS 6 +.PD 0 +.IP "\fBengine_id\fR" 6 +.IX Item "engine_id" +.PD +Specifies the \s-1ENGINE\s0 id to be used \- check OpenSSL and your \s-1HSM\s0 +vendor to get more info about this parameter. +.IP "\fBengine_pre\fR" 6 +.IX Item "engine_pre" +Some \s-1HSM\s0 need initialisation before access to the crypto accelerated +functions is granted. It is possible, by using the 'engine_pre' options +to issue needed commands directly to the \s-1HSM.\s0 +.Sp +The format is as follows: + 0.engine_pre = cmd:values + 1.engine_pre = cmd2:values + ... +It is possible to have as many commands as needed. +.IP "\fBengine_post\fR" 6 +.IX Item "engine_post" +Some HSMs need to perform commands after the \s-1ENGINE\s0 initialisation +which are taken from the 'engine_post' option. Usage and format +is exactly the same as 'engine_pre', the difference is that commands +are sent to the \s-1HSM\s0 after the \fIENGINE_init()\fR function. Refer to your +\&\s-1HSM\s0 documentation for more informations +.RE +.RS 6 +.RE +.SH "AUTHOR" +.IX Header "AUTHOR" +.RS 4 +Massimiliano Pala +.RE +.SH "SEE ALSO" +.IX Header "SEE ALSO" +.RS 4 +\&\fIocspd\fR\|(3),\fIopenca\fR\|(3),\fIopenssl\fR\|(1), \fIocsp\fR\|(1) +.RE