2
edits
Security/Server Side TLS: Difference between revisions
Jump to navigation
Jump to search
→OCSP Stapling support: Adds script for automatic OCSP in HAProxy
(→Apache) |
Pierreozoux (talk | contribs) (→OCSP Stapling support: Adds script for automatic OCSP in HAProxy) |
||
| Line 375: | Line 375: | ||
OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca | OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca | ||
</pre> | </pre> | ||
This little script can come handy: | |||
<pre> | |||
#!/bin/bash -eux | |||
PEM_FILE=${1} | |||
CRT_FILE=/tmp/`basename ${PEM_FILE} | sed 's/pem/crt/'` | |||
DIR=`dirname ${PEM_FILE}` | |||
URL=`openssl x509 -in ${PEM_FILE} -text | grep OCSP | cut -d: -f2,3` | |||
HEADER=`echo $URL | cut -d/ -f3` | |||
ISSUER_CRT_URL=`openssl x509 -in ${PEM_FILE} -text | grep Issuers | cut -d: -f2,3` | |||
wget ${ISSUER_CRT_URL} -q -O - | openssl x509 -inform DER -outform PEM > ${PEM_FILE}.issuer | |||
openssl x509 -outform PEM -in ${PEM_FILE} > ${CRT_FILE} | |||
openssl ocsp -noverify -issuer ${PEM_FILE}.issuer -cert ${CRT_FILE} -url ${URL} -no_nonce -header Host ${HEADER} -respout ${PEM_FILE}.ocsp | |||
</pre> | |||
Don't forget to put this script in a cron and reload HAProxy afterward. | |||
== Stud == | == Stud == | ||