This is a containerised version of the OCSP web responder built into OpenSSL.
Had built this to add onto my certificates primarily to remove the warning on Microsoft's Terminal Services Client about being unable to validate the certificate against a responder when RDP'ing onto a server.
https://hub.docker.com/repository/docker/wackysysadmin/ocsp-responder/
This container relies on already having the following:- A working CA and/or intermediate server (Useful Guide: https://jamielinux.com/docs/openssl-certificate-authority/index.html, BounCA, LabCA etc)
- An index file containing a list of current valid/revoked/expired certificates. (Otherwise known as the 'database' file in OpenSSL terminology)
- The public certificate of your root CA, or chain of the root CA and intermediate.
- An OCSP signing keypair from your root CA or intermediate. (Guide: https://bhashineen.medium.com/create-your-own-ocsp-server-ffb212df8e63)
The following variables are file locations relative to the container.
- OCSP_INT_PORT: "2560" # OCSP mounting port internal to the container.
- INDEX_FILE: "/data/index.txt" # The database file of the CA.
- CA_FILE: "/data/ca-chain.cert.pem" # The CA or CA and intermediate public chain certificate.
- OCSP_CERT_FILE: "/data/ocsp.pem" # OCSP public certificate signed by the root CA or intermediate.
- OCSP_KEY_FILE: "/data/ocsp.key" # OCSP private key.
- OCSP_LOG_FILE: "/data/ocsp.log" # OCSP process's output log file, HTTP access logs and responses. The container will generate this logfile.
Modify the volume path to the path of your files.
Bring up the OCSP responder server:
docker compose up -d
docker logs ocsp-responder
ACCEPT 0.0.0.0:2560 PID=1
ocsp: waiting for OCSP client connections...
Certificates can now be signed by defining your OCSP's FQDN. Example configuration: authorityInfoAccess = OCSP;URI:http://ocsp.hostname.foo:2560
The OCSP responder server can be put behind a reverse proxy such as Caddy/NGINX/Traefik.This can be done by using a method of your choice, if you append a reverse proxy onto the Docker Compose file or if the reverse proxy server is on the same container bridge network you can specify http://ocsp-responder:2560 as the proxy upstream address.
Serving an OCSP responder over HTTPS isn't a requirement but is certainly possible, as mentioned in the wider community OCSP requirements on CA/Intermediate certificates can cause issues, using them on issued server/client certificates from them should be fine.
The container can be built manually, it is only an Alpine image with OpenSSL and CMD values set.Enter a directory and create a Dockerfile with the contents from here.
Create the container using build command:
docker build -t ocsp-responder:latest .
- All files can be direct mounted into the container, however the index/database file must be in a mounted folder. This is due to Docker mounting the file as it is at the time. If there are changes to the index it will not be reflected unless the container gets restarted. For my use case I created an ocsp folder then changed my openssl.cnf to save changes to an index.txt in the ocsp folder.