[CentOS] Simple OCSP server ??

Sat Apr 15 02:41:50 UTC 2017
Alice Wonder <alice at domblogger.net>

https://www.openca.org/ might fit my needs.

On 04/14/2017 06:29 PM, Alice Wonder wrote:
> Hello list,
> I'm contemplating running my own CA to implement the new proposed ISP
> for validation of S/MIME certificates via DANE.
> I already use self-signed for my MX servers (with 3 1 1 dane records on
> TCP port 25) but I don't want to use self-signed for S/MIME for user
> specific x.509 certs because
> A) That's potentially a lot of DNS records
> B) That requires a hash of the e-mail addresses in DNS
> Instead, I will be using a wildcard in DNS with an intermediary that
> signs the user x.509 certificates.
> Using an intermediary to sign their certificates though means I can't
> just revoke their certificates by removing the DNS certificate, I'll
> need to provide an OCSP server for when one of their private keys gets
> compromised.
> I found
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html
> but it looks like that is intended for enterprise, more complex than I
> need.
> Anyone know of a good simple script for providing OCSP ??
> -=-
> Not relevant to question but just important for me to note, I will *not*
> be asking people to install my root certificate in their e-mail clients.
> I think it is a bad practice to get users in the habit of installing
> root certificates.
> I think the PKI system has way way way to many root certificates as it
> is. I want a world where DANE validates most certificates, and only a
> few root certificates are needed for things like banks where EV
> certificates are a must.
> DANE as a way to validate S/MIME I think will be a godsend to e-mail
> security, I hope clients implement it.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos