如何测试 OCSP 实现? [英] How to test OCSP implementation?

问题描述

为了测试 ocsp 实现，我需要一个 ocsp 响应器.是否有任何现成的响应器用于测试目的?或者有没有办法在本地主机上运行一些响应程序?

For testing ocsp implementation I need a ocsp responder. Is there any ready responder for testing purposes? Or is there any way to run some responder on local host?

推荐答案

如果您拥有或获得 openssl，它包括一个基本但可用的 OCSP 响应器；在您的系统或在web 位于OCSP 服务器选项"大约一半的位置.(ocsp 命令还包括客户端/请求程序和调试实用程序.)

If you have or get openssl, it includes a basic but usable OCSP responder; see man ocsp(1) (sometimes 1ssl or similar) on your system or on the web at "OCSP Server Options" about halfway down. (The ocsp command also includes a client/requester and debugging utility.)

这旨在支持由 openssl ca 命令 (qv) 颁发(并可选择撤销)并记录在其数据库"中的证书，但该数据库只是一个制表符分隔的文本文件(传统上但不一定命名为 index.txt)，您可以使用已经存在的证书，只要它们都具有相同的颁发者名称.当然，您需要为发行人(或委托人)提供支持 OCSP 签名的密钥/证书/链.我以为有关于数据库"格式的文档，但我找不到它，而且我一直在使用它们，以至于忘记了我从哪里学到的东西——它可能来自代码.但有关(重新)创建 index.txt 的示例，请参见 https://unix.stackexchange.com/questions/320038/easy-rsa-index-txt-serial-and-duplicates(部分回答是我的).

This is designed to support certificates issued (and optionally revoked) by the openssl ca command (q.v.) and recorded in its 'database', but that database is just a tab-delimited text file (conventionally but not necessarily named index.txt) that you can cons up for certs that already exist as long as they all have the same issuer name. And of course you need a key/cert/chain supporting OCSP-sign for the issuer (or delegate). I thought there was doc on the 'database' format but I can't find it, and I've been using them so long I forget where I learned -- it might have been from the code. But for an example of (re)creating index.txt see https://unix.stackexchange.com/questions/320038/easy-rsa-index-txt-serial-and-duplicates (answer partly mine).

请注意，一个进程使用一个数据库"文件并支持一个发行者.如果您需要多个发行者，您可以在具有多个地址的机器上的不同端口和/或不同地址上运行多个进程.如果这不合适，您可以在两者之间放置任何 HTTP 前端，例如httpd 或 nginx 可以接受混合请求并将 http://myocsp.local/forCA1 转发到 localhost:1001 和 openssl ocsp 进程code>http://myocsp.local/forCA2 到另一个 localhost:1002 等

Note that one process uses one 'database' file and supports one issuer. If you need more than one issuer, you could run several processes on different ports and/or different addresses on a machine with mutiple addresses. If that's not suitable you could put any HTTP frontend in between, e.g. httpd or nginx could accept mixed requests and forward http://myocsp.local/forCA1 to one openssl ocsp process on localhost:1001 and http://myocsp.local/forCA2 to another on localhost:1002 etc.

这篇关于如何测试 OCSP 实现?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！