Oh I don't know, their github works. However it seems that it isn't able to deal with more than one ocsp signing key. On 04/16/2017 08:40 AM, Robert Moskowitz wrote: > > > On 04/14/2017 10:41 PM, Alice Wonder wrote: >> https://www.openca.org/ might fit my needs. > > their Centos repo does not exist, it seems? > >> >> On 04/14/2017 06:29 PM, Alice Wonder wrote: >>> Hello list, >>> >>> I'm contemplating running my own CA to implement the new proposed ISP >>> for validation of S/MIME certificates via DANE. >>> >>> I already use self-signed for my MX servers (with 3 1 1 dane records on >>> TCP port 25) but I don't want to use self-signed for S/MIME for user >>> specific x.509 certs because >>> >>> A) That's potentially a lot of DNS records >>> B) That requires a hash of the e-mail addresses in DNS >>> >>> Instead, I will be using a wildcard in DNS with an intermediary that >>> signs the user x.509 certificates. >>> >>> Using an intermediary to sign their certificates though means I can't >>> just revoke their certificates by removing the DNS certificate, I'll >>> need to provide an OCSP server for when one of their private keys gets >>> compromised. >>> >>> I found >>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html >>> >>> but it looks like that is intended for enterprise, more complex than I >>> need. >>> >>> Anyone know of a good simple script for providing OCSP ?? >>> >>> -=- >>> >>> Not relevant to question but just important for me to note, I will *not* >>> be asking people to install my root certificate in their e-mail clients. >>> I think it is a bad practice to get users in the habit of installing >>> root certificates. >>> >>> I think the PKI system has way way way to many root certificates as it >>> is. I want a world where DANE validates most certificates, and only a >>> few root certificates are needed for things like banks where EV >>> certificates are a must. >>> >>> DANE as a way to validate S/MIME I think will be a godsend to e-mail >>> security, I hope clients implement it. >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos