48 lines
1.8 KiB
YAML
48 lines
1.8 KiB
YAML
services:
|
|
# OCSP (Online Certificate Status Protocol) Responder Service
|
|
#
|
|
# This service provides real-time certificate validation for the development environment.
|
|
# It works with certificates generated by ./scripts/generate-certificates.sh and imported
|
|
# by ./scripts/import-certificates.sh.
|
|
#
|
|
# Configuration Parameters:
|
|
# ------------------------
|
|
# Port: 8888 - OCSP responder listens for validation requests
|
|
# Index File: - Lists all issued certificates (/ca/intermediate-ca/index.txt)
|
|
# CA Certificate: - Issuer's certificate (/ca/intermediate-ca/intermediate.crt)
|
|
# OCSP Key Pair: - Responder credentials (/ca/ocsp-responder/ocsp.{key,crt})
|
|
# Validity Period: - Responses valid for 1 day (-ndays 1)
|
|
#
|
|
# Test Certificate Status:
|
|
# ----------------------
|
|
# openssl ocsp -url http://ocsp.localhost.example:8888 \
|
|
# -issuer _data/certs/ca/intermediate-ca/intermediate.crt \
|
|
# -CAfile _data/certs/xmpp1.pem \
|
|
# -cert _data/certs/xmpp1.crt \
|
|
# -text
|
|
ocsp-responder:
|
|
image: alpine:latest
|
|
volumes:
|
|
- ./_data/certs/ca:/ca
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
apk add --no-cache openssl socat
|
|
|
|
# Start OCSP responder on localhost using a different port
|
|
openssl ocsp -port 8887 -text \
|
|
-index /ca/intermediate-ca/index.txt \
|
|
-CA /ca/intermediate-ca/intermediate.crt \
|
|
-rkey /ca/ocsp-responder/ocsp.key \
|
|
-rsigner /ca/ocsp-responder/ocsp.crt \
|
|
-ndays 1 &
|
|
|
|
# Use socat to create IPv6 and IPv4 listeners that forward to the OCSP responder
|
|
socat TCP6-LISTEN:8888,fork,ipv6-v6only=1 TCP4:127.0.0.1:8887 &
|
|
socat TCP4-LISTEN:8888,fork TCP4:127.0.0.1:8887 &
|
|
|
|
# Keep container running and log any errors
|
|
wait
|
|
ports:
|
|
- "8888:8888" |