My CA preparation supporting OCSP
This is a next step of CRL vs OCSP - Shammerism.
The OCSP test with openssl I did before in OpenSSLのOCSPはURLEncodeされたOCSPリクエストを処理できない?その4 - Shammerism, OCSP responder can not be implemented on normal web servers like apache.
I will have to consider how to build up OCSP responder only using open source. But, CRL Distribution Points and CA Issuer seems to okay on normal web servers.
I can get with curl both CRL Distribution Points and CA Issuers.
Required resources are:
At the first step, building up my CAs with the x509 extensions required for supporting OCSP.
According to DigiCert CAs, following things are clear.
- Root CA certificate doesn't include both AIA and CRL Distribution Points.
- Intermediate CA certificate include both AIA and CRL Distribution Points.
- AIA is consisted of OCSP only.
- CRL Distribution Points is RootCA's CRL.
- Server Certificates includes both AIA and CRL Distribution Points.
My next step is to generate RootCA certificate like above.