[CentOS] Simple OCSP server ??

Sat Apr 15 01:29:23 UTC 2017
Alice Wonder <alice at domblogger.net>

Hello list,

I'm contemplating running my own CA to implement the new proposed ISP 
for validation of S/MIME certificates via DANE.

I already use self-signed for my MX servers (with 3 1 1 dane records on 
TCP port 25) but I don't want to use self-signed for S/MIME for user 
specific x.509 certs because

A) That's potentially a lot of DNS records
B) That requires a hash of the e-mail addresses in DNS

Instead, I will be using a wildcard in DNS with an intermediary that 
signs the user x.509 certificates.

Using an intermediary to sign their certificates though means I can't 
just revoke their certificates by removing the DNS certificate, I'll 
need to provide an OCSP server for when one of their private keys gets 

I found 
but it looks like that is intended for enterprise, more complex than I need.

Anyone know of a good simple script for providing OCSP ??


Not relevant to question but just important for me to note, I will *not* 
be asking people to install my root certificate in their e-mail clients. 
I think it is a bad practice to get users in the habit of installing 
root certificates.

I think the PKI system has way way way to many root certificates as it 
is. I want a world where DANE validates most certificates, and only a 
few root certificates are needed for things like banks where EV 
certificates are a must.

DANE as a way to validate S/MIME I think will be a godsend to e-mail 
security, I hope clients implement it.