# OCSPd example configuration file.
# (c) 2001 by Massimiliano Pala - OpenCA Project.
# All rights reserved

[ ocspd ]
default_ocspd	= OCSPD_default		# The default ocspd section

####################################################################
[ OCSPD_default ]

dir		 = /chroot/etc/ocspd		# Where everything is kept
#db		 = $dir/index.txt		# database index file.
md	 	 = sha1

ca_certificate	  = $dir/certs/cacert.crt 	# The CA certificate
ocspd_certificate = $dir/certs/server.crt	# The OCSP server cert
ocspd_key	  = $dir/certs/server.key	# The OCSP server key
pidfile		  = $dir/ocspd.pid		# Main process pid


#server.crt server.key cacert.crt

# User and Group the server will run as. It is a good idea
# not having servers running as root: in case of errors in
# the code providing an 'illegal' access method for an attacker
# it is better not to give him additional advantages.
user			= root
group			= daemon

# Bind to a specific address. This option is useful if you need
# to listen only on one IP among the availables ones.
bind			= *

# Port where the server will listen for incoming requests.
port		 	= 2560

# Max size of accepted requests. Data connection will be closed
# in case this size will be reached.
max_req_size	 	= 8192
max_childs_num		= 1

# Auto Reload interval of CRL (if set to 0 or not present, to
# reload the CRL you'll need to send a SIGHUP (kill -1 <pid>)
# to the parent process (seconds)
crl_auto_reload = 3600

# Check CRL validity period. If this parameter is set to #n
# then the CRL is checked every #n secs and if the CRL's validity
# period is expired then all the responses will be set to
# 'unknown'.
# If 'crl_check_validity' is set to '0' or it is absent, all
# responses will be based on the loaded CRL, no matter if it
# is expired or not.
crl_check_validity = 600

# Reload CRL if the one loaded is expired. Set this parameter
# only if you are sure that the new CRL will be issued and put
# in the crl_url.
crl_reload_expired = yes

# Specifies the response section to load the server options
# from
response	= ocsp_response	

# It specifies the section to be used where options about where
# CRL and certificates are kept.
#
# Example section using LDAP for data retrival
# dbms		= dbms_ldap
#
# Example section using FILES for data retrival
dbms		= dbms_file

# Enables the ENGINE interface for the server. If set to off then
# no support for ENGINE is loaded. If set to anything but 'off' the
# value must correspond to a section in this configuration file.
# Currently only LunaCA3, LunaSA are directly supported. If you need
# support for other HSM write to the authors.
#
# IMPORTANT NOTE: in case of usage with engine support enabled, put
# the private key ID - look at the HSM documentation - into the
# 'ocspd_key' field above in this file
# engine = HSM

####################################################################
[ ocsp_response ]
dir		 	= /usr/local/ocspd/etc/ocspd

# It is possible to include additional certificates in given
# responses. Put all the certificates you want to include in
# the file pointed by 'ocsp_add_responses_certs', concatenated
# one after the other.
#
# Comment this option if you don't want to add certificates
# to responses.
#ocsp_add_response_certs	= $dir/certs/chain_certs.pem

# Set this option if you want to include the KeyID. If you are
# unsure about this setting, use 'yes'.
ocsp_add_response_keyid	= yes

# next_update_days and next_update_mins allows to specify in
# each response when new revocation data will be available.
# If the two options are both set to '0' the 'nextUpdate' field
# in the OCSP response will be left NULL indicating new data
# can be made available anytime (this is true if you are issuing
# new CRLs every time a revocation takes place)
next_update_days	= 0
next_update_mins	= 5


####################################################################
[ dbms_ldap ]

#0.ca = @ldap_ca_1

####################################################################
[ dbms_file ]

# We can have as many CAs supported as we want, each CRL will be
# loaded and stored upon server starting
0.ca = @first_ca
1.ca = @second_ca

####################################################################
[ first_ca ]

# You can have the CRL on a simple file in PEM format
#crl_url = file:////usr/local/ocspd/etc/ocspd/crls/crl_07.crl
crl_url = http://www.cacert.org/revoke.crl

# We need the CA certificate for every supported CRL
# ca_url  = file:////usr/local/ocspd/etc/ocspd/certs/1st_cacert.pem
#ca_url  = file:////usr/local/ocspd/etc/ocspd/certs/cacert.pem
ca_url = http://www.cacert.org/certs/root.crt

####################################################################
[ second_ca ]

# You can have the CRL on a simple file in PEM format
#crl_url = file:////usr/local/ocspd/etc/ocspd/crls/crl_01.crl
crl_url = http://www.cacert.org/class3-revoke.crl


# We need the CA certificate for every supported CRL
#ca_url  = file:////usr/local/ocspd/etc/ocspd/certs/2nd_cacert.pem
ca_url = http://www.cacert.org/certs/class3.crt