make LIBS="-lresolv -lnsl -lsasl2 -rpath /opt/lib"

+ if ps -p ${pid} >/dev/null ; then

• Edit your /opt/etc/ocspd.conf file see man ocspd.conf for details. Suggestion: Set threads_num to something more reasonable, like 25. Also, create the ocspd user and group -- you can do this with the GUI so that they persist.

By default, ocspd will listen on port 2560. If you also want to listen on port 80 & you have a webserver handy, do something like this (apache): [@

@]

[@

@]

[@

@]

[@

@]

[@

@]

[@

@]

[@

@]

[=

=]

[=

=]

[=

=]

[=

=]

[= cd /opt/etc/init.d

=]

/opt/etc/init.d/S43ocspd start

[=

=]

The Online Certificate Status Protocol is used to provide the status of X.509 certificates in lieu of a CRL. OCSPD is a daemon that serves a CRL file using OCSP. This is handy if you are running your own CA.

Here's how to build it on a SLUG - I don't have time to make an IPKG for it at the moment, but it should be straighforward from this recipe.

This assumes that you have the native tools installed.

• Get the OSCPD kit from http://www.openca.org/alby/download?target=openca-ocspd-1.5.1-rc1.tar.gz
• Install the following ipkgs:
  • openssl
  • openssl-dev
  • openldap
• Unzip the ocspd archive & cd to the ocspd-1.5.1-rc1 directory
• setup the arm build environment, usually:

 export PATH=$PATH:/opt/bin:/share/hdd/data/tools/bin
 export LD_LIBRARY_PATH=/lib:/opt/lib:/usr/lib:/usr/local/lib:/opt/armeb/armv5b-softfloat-linux/lib
 export LDFLAGS=-L/usr/local/lib
 export C_INCLUDE_PATH=/usr/include:/usr/local/include:/opt/armeb/include:/opt/armeb/armv5b-softfloat-linux/include:/opt/armeb/armv5b-softfloat-linux/sys-include

• Run configure with the following options:

 ./configure --prefix=/opt --with-openssl-prefix=/opt --with-ocspd-user=ocspd --with-ocspd-group=ocspd --with-openldap-prefix=/opt

• Make requires a small tweak to get ocspd to link:

 make LIBS="-lresolv -lnsl -lsasl2"

• Install

 make install

• Change the startup file

cd /opt/etc/init.d
 mv ocspd S43ocspd
--- oscpd       2009-07-11 09:36:01.000000000 -0400
+++ S43ocspd    2009-07-11 09:53:20.000000000 -0400
@@ -57,7 +57,7 @@
                echo "stopped."
        else
                pid=`cat $pidfile`;
-               if test `ps -p ${pid}` ; then
+               if ps -p ${pid} ; then
                        echo "running ( $pid ) ... "
                else
                        echo "stopped."

ln -s S43ocspd K80ocspd

• Edit your /opt/etc/ocspd.conf file see man ocspd.conf for details.
• Edit /opt/etc/init.d/S43ocspd to reflect the location of your pidfile (suggest /opt/var/run/ocspd.pid)
• /opt/etc/init.d/S43ocspd start

And you should be off.

By default, ocspd will listen on port 2560. If you also want to listen on port 80 & you have a webserver handy, do something like this:

    # Allow OCSP content for POST (If you have mod_security)
    SecRuleRemoveById? 960010

    # Proxy OCSP requests to the OCSP server
    #  -- Any POST with OCSP content
    #  -- /ocsp (for GET)

    ReWriteCond? %{HTTP:Content-Type} ^application/ocsp-request$ [OR]
    ReWriteCond? %{REQUEST_URI} ^/ocsp
        RewriteRule? ^/(.*) http://ocsp.litts.net:2560/$1 [P]

If you have difficultiy, start-verbose will log more information in /var/log/messages

Enjoy