This go module supports the creation of an ocsp server that is capable of using a PKCS#11 HSM, such as the NitroKey HSM, as the signer for the ocsp responder. When properly configured, the hsmocsp server will return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it will return an error code.
The hsmocsp server currently supports two source types which implement the cfssl ocsp responder interface to validate certificates; additional support for cfssl certdb and response file sources could likely easily be added.
| Source Type | Description |
|---|---|
| OpenSslSource | Uses the OpenSSL ca db and crl files; optionally supports hosting ca issuer and crl static files |
| VaultSource | Uses the Vault PKI Engine ca and crl urls and cert api |
app-hsmocsp is a cloud-native application with kubectl and Helm deployments for this hsmocsp go module
In addition to the app-hsmocsp container, the provided dev and debug skaffold profiles will also deploy the app-pki container, which uses a helper script to create a working PKCS#11 HSM PKI environment for development purposes only; it includes configurable steps to automatically validate and initialize:
- Certificates and Keypairs for the OpenSSL Root CA
- Vault PKI Secrets engines and intermediate CA certificates properly signed and chained with the OpenSSL ca-keypair
- Keypairs for OCSP server certificates for both OpenSSL and Vault CA sources for app-hsmocsp to consume
| PKI Level | Cert | HSM Key | Vault Key | File Key |
|---|---|---|---|---|
| 1 | OpenSSL CA | x | ||
| 1 | OpenSSL CA OCSP | x | ||
| 2 | Vault Root CA | x | ||
| 2 | Vault Root CA OCSP | x | ||
| 3 | Vault Int Dev CA | x | ||
| 3 | Vault Int Dev CA OCSP | x | ||
| 3 | Vault Int Dev CA Client | x |