vault-ocsp

README

Vault OCSP

Vault OCSP provides OCSP support for Hashicorp Vault PKI backends it uses Vault to retrieve a CA certificate at startup and the cert/{serial} API to fetch the revocation status of certificates. Responses for revoked certificates are cached in memory.

Vault OCSP is based on Hashicorp's Vault API and OCSP code from Cloudflare's PKI and TLS toolkit.

License

Vault OCSP is licensed under the Mozilla Public License 2.0.

The file vendor/github.com/cloudflare/cfssl/ocsp/responder.go is copied from Cloudflare's cfssl repository and is licensed under cfssl's BSD 2-clause "Simplified" License

Building Vault OCSP

git clone https://github.com/T-Systems-MMS/vault-ocsp.git
cd vault-ocsp
go get
go build -o vault-ocsp

Running Vault OCSP

Vault OCSP is helpful:

./vault-ocsp -help
Usage of ./vault-ocsp:
  -pkimount string
        vault PKI mount to use (default "pki")
  -responderCert string
        OCSP responder signing certificate file
  -responderKey string
        OCSP responder signing private key file
  -serverAddr string
        Server IP and Port to use (default ":8080")

Vault OCSP supports the same environment variables as the Vault command line interface. You will probably need to set VAULT_ADDR, VAULT_CACERT and VAULT_TOKEN to use it.

The command line arguments -responderCert and -responderKey are mandatory and should point to a PEM encoded X.509 certificate file and a corresponding PEM and PKCS#1 encoded RSA private key file.

The key can be generated using openssl rsa and the certificate should be signed by a CA that is trusted by the OCSP clients that will query the Vault OCSP instance.

Make Vault OCSP known to Vault

You can use the /pki/config/urls API to define Vault OCSP as OCSP responder. You should use an OCSP URL that will be reachable from your OCSP clients. If you want to make the OCSP responder available via https itself you will need a reverse proxy like nginx or Apache httpd in front of Vault OCSP.