vault-ocsp's Introduction

Vault OCSP

Vault OCSP provides OCSP support for Hashicorp Vault PKI backends it uses Vault to retrieve a CA certificate at startup and the cert/{serial} API to fetch the revocation status of certificates. Responses for revoked certificates are cached in memory.

Vault OCSP is based on Hashicorp's Vault API and OCSP code from Cloudflare's PKI and TLS toolkit.

License

Vault OCSP is licensed under the Mozilla Public License 2.0.

The file vendor/github.com/cloudflare/cfssl/ocsp/responder.go is copied from Cloudflare's cfssl repository and is licensed under cfssl's BSD 2-clause "Simplified" License

Building Vault OCSP

git clone https://github.com/T-Systems-MMS/vault-ocsp.git
cd vault-ocsp
go get
go build -o vault-ocsp

Running Vault OCSP

Vault OCSP is helpful:

./vault-ocsp -help
Usage of ./vault-ocsp:
  -pkimount string
        vault PKI mount to use (default "pki")
  -responderCert string
        OCSP responder signing certificate file
  -responderKey string
        OCSP responder signing private key file
  -serverAddr string
        Server IP and Port to use (default ":8080")

Vault OCSP supports the same environment variables as the Vault command line interface. You will probably need to set VAULT_ADDR, VAULT_CACERT and VAULT_TOKEN to use it.

The command line arguments -responderCert and -responderKey are mandatory and should point to a PEM encoded X.509 certificate file and a corresponding PEM and PKCS#1 encoded RSA private key file.

The key can be generated using openssl rsa and the certificate should be signed by a CA that is trusted by the OCSP clients that will query the Vault OCSP instance.

Make Vault OCSP known to Vault

You can use the /pki/config/urls API to define Vault OCSP as OCSP responder. You should use an OCSP URL that will be reachable from your OCSP clients. If you want to make the OCSP responder available via https itself you will need a reverse proxy like nginx or Apache httpd in front of Vault OCSP.

vault-ocsp's People

Contributors

Stargazers

Watchers

vault-ocsp's Issues

cfssl NewResponder requirement changes

Hi,

In an attempt to build vault-ocsp, it was failing on go get:

$ go get
# _/vault-ocsp
./vault_ocsp.go:62:38: not enough arguments in call to "github.com/cloudflare/cfssl/ocsp".NewResponder
        have (*VaultSource)
        want ("github.com/cloudflare/cfssl/ocsp".Source, "github.com/cloudflare/cfssl/ocsp".Stats)

Looks like under cloudflare/cfssl/ocsp/responder.go, the NewResponder is looking for Source and Stats now:

// NewResponder instantiates a Responder with the give Source.
func NewResponder(source Source, stats Stats) *Responder {
        return &Responder{
                Source: source,
                stats:  stats,
                clk:    clock.New(),
        }
}

Vault revocation certicate

Hello,

I have this message when I launch vault-ocsp:

./vault-ocsp -responderCert /home/vault/ScriptVault/.crt -responderKey /home/vault/ScriptVault/.key
2023/07/11 08:44:22 [INFO] Found CA certificate test
Please let me know how can i inform the hosts that the certificate is revoked?

Best regards

Acyl G;

Recommend Projects

t-systems-mms / vault-ocsp Goto Github PK

vault-ocsp's Introduction

Vault OCSP

License

Building Vault OCSP

Running Vault OCSP

Make Vault OCSP known to Vault

vault-ocsp's People

Contributors

Stargazers

Watchers

Forkers

vault-ocsp's Issues

cfssl NewResponder requirement changes

Vault revocation certicate

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent