{"id":49187600,"url":"https://github.com/doriancoding/ocsp-server","last_synced_at":"2026-04-23T05:01:33.881Z","repository":{"id":214339933,"uuid":"736280979","full_name":"DorianCoding/OCSP-server","owner":"DorianCoding","description":"Automatic, fast and reliable OCSP. Listen to requests, send responses, cache implemented. Must be linked to a certificate database. ","archived":false,"fork":false,"pushed_at":"2026-02-10T17:40:34.000Z","size":27570,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-06T05:16:21.064Z","etag":null,"topics":["certificate-authority","ocsp","ocsp-request","ocsp-responder","ocsp-responses"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DorianCoding.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-12-27T13:27:25.000Z","updated_at":"2026-02-10T17:39:10.000Z","dependencies_parsed_at":"2025-03-14T21:25:08.138Z","dependency_job_id":"19a0381d-9bbe-4ff9-8290-1506ca9e80e2","html_url":"https://github.com/DorianCoding/OCSP-server","commit_stats":null,"previous_names":["doriancoding/ocsp_server","doriancoding/ocsp-server"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/DorianCoding/OCSP-server","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DorianCoding%2FOCSP-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DorianCoding%2FOCSP-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DorianCoding%2FOCSP-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DorianCoding%2FOCSP-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DorianCoding","download_url":"https://codeload.github.com/DorianCoding/OCSP-server/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DorianCoding%2FOCSP-server/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32166660,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-23T02:19:40.750Z","status":"ssl_error","status_checked_at":"2026-04-23T02:17:55.737Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate-authority","ocsp","ocsp-request","ocsp-responder","ocsp-responses"],"created_at":"2026-04-23T05:01:31.339Z","updated_at":"2026-04-23T05:01:33.867Z","avatar_url":"https://github.com/DorianCoding.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OCSP server\n![GitHub License](https://img.shields.io/github/license/DorianCoding/OCSP_server)\n[![Github stars](https://img.shields.io/github/stars/DorianCoding/OCSP_server.svg)](https://github.com/DorianCoding/OCSP_server/stargazers)\n\u003cimg alt=\"French flag\" src=\"https://github.com/lipis/flag-icons/blob/main/flags/1x1/fr.svg\" width=\"25\"\u003e\n\n*OCSP Server is a **OCSP responder**, the Rust implementation of the [python version](https://github.com/DorianCoding/OCSP_MySql).*\n\n----\n\nThis software implements a OCSP responder in Rust, fetching certificate status in a Mysql/MariaDB database. Unlike the Python implementation, it **does implement its own TCP listener** on a user-selected port.\n*It will answer to any **GET or POST** requests on the root URL or /ocsp URL*. If you need other routes, please configure a reverse proxy.\n## Requirements\n- A CA certificate (self-signed allowed) and/or an intermediate CA that will sign leaf certificates.\n- A config file (config.toml) in the same directory. As well, files indicated in this file must also be accessible.\n- A Mysql database containing all certificates (check below) that could be checked and were signed.\n\n## What is done\n- Extract OCSP requests, verify it is a signed certificate by the CA, check in the database if it is good or revoked and sign the response. It also caches answers for some days to avoid RSA calculations.\n- Create a specific user for this task to ensure protection for intermediate certificate, as the private key is required.\n## What is not done\n- Only leaf certificates will be signed as valid, not the intermediate one.\n- No control is performed on the TCP socket and it should not be open to public as it but rather behind a reverse proxy that controls the flow, such as Apache or Nginx. Requests are limited to 3 Mb.\n\n\u003e [!TIP]\n\u003e The intermediate certificate should be signed by CA in an OCSP response that is stored separately. The CA certificate and private key should be stored offline.\n\n## Config file\nThe config file should contain the following informations :\n```toml\n#Config file, all fields are compulsory\ncachedays = 3 #Number of days a response is valid once created (only for valid certificates)\ndbip = \"127.0.0.1\" #Optional. IP to connect to MySql database. If absent, use of unix socket.\ndb_type = \"mysql\" # Can be \"mysql\" or \"postgres\" or \"sqlite\"\ndbuser = \"cert\" #Username to connect to MySql database\ndbport = 3306 # Optional: Default 3306 for MySQL, 5432 for PostgreSQL\ndbname = \"certs\" #Name to connect to MySql data\ndbpassword = \"certdata\" #Password to connect to cert data\nport = 9000 #Port to listen to, from 1 to 65535. Cannot use a port already used by another service (privileged ports allowed if used as root or as a service). By default 9000\nlisten_ip = \"0.0.0.0\" # Optional: IP address to listen on (default: 127.0.0.1)\ntimeout = 5 #Optional timeout, default 5s\ncachefolder = \"cache/\" #Folder to cache data (relative or absolute, will be created if not present)\nitcert = \"/var/public_files/it_cert.crt\" #Path to intermediate certificate as PEM format\nitkey = \"/var/private_files/it_privkey.pem\" #Path to intermediate private key, keep it secret (PKCS#8 format, only RSA keys supported so far)\nrevocextended = true #Optional, if you want to enable EXTENDED_REVOCATION\ncaching = true #Optional, enable caching or enable nonce response.\ncreate_table = true # Optional: Creates the table if it doesn't exist\ntable_name = \"custom_certs\" # Optional: Custom table name (default is list_certs for MySQL, ocsp_list_certs for PostgreSQL)\nenable_api = true # Optional: Enable the certificate management API\napi_keys = [\"secure-api-key-1\", \"secure-api-key-2\"] # Optional: List of valid API keys for authentication\n```\n\n\u003e [!CAUTION]\n\u003e Config.toml should be read-only for the script and inaccessible for others because it contains dbpassword.\n\u003e Test files are TEST FILES and SHOULD NOT BE USED in any way for production.\n\u003e Intermediate/Signer certificate key should be held secret, must be read-only for the script and inaccessible to anyone else. The intermediate/Signer certificate should be world-readonly, including to the script.\n\u003e As a service, the script will use a brand-new user called pycert. This ensures system integrity and protection. All the filesystem is locked by systemd except the cache folder.\n\u003e The responder will reply to any certificate that are present in the database, *whatever they are currently expired or not*.\n\n\n## How to implement?\n### As a linux service (Recommended)\n\nCreate your config file in the main directory and call `service.sh` as root. The service then will be started on bootup and will listen to connections.\n### Binaries\n1) Get binaries for your architecture and execute it in the background (check [releases](https://github.com/DorianCoding/OCSP-server/releases/tag/v0.4.0)).\n\n*Feel free to share binaries for others architectures in a PR so they can be added. Please post only optimized binaries (release).*\n### Compile from source\n1) Clone the repo `git clone https://github.com/DorianCoding/OCSP-server.git`\n2) Type `cargo run` or `cargo run --release` and enjoy 👍\n## MySql table\nThis script requires a table with this kind of structure :\n```\nCREATE TABLE `list_certs` (\n  `cert_num` varchar(50) NOT NULL,\n  `revocation_time` datetime DEFAULT NULL,\n  `revocation_reason` enum('unspecified','key_compromise','ca_compromise','affiliation_changed','superseded','cessation_of_operation','certificate_hold','privilege_withdrawn','aa_compromise') DEFAULT NULL,\n  `status` enum('Valid','Revoked') NOT NULL DEFAULT 'Valid',\n  PRIMARY KEY (`cert_num`),\n) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4\n```\n- The certificate number **must be unique** and start with 0x (like a hex number). Revocation_time must be in UTC timezone.\n- When the certificate is valid, status must be \"Valid\" and revocation_time and reason must be NULL. On the opposite, upon revocation, status must be \"Revoked\" and revocation_time and reason must be set.\n## Script test and timeline\n### Test integration\nYou can test the script using `openssl` and replacing issuer and cert by files containing respectively the issuer and the local certificate :\n```bash\nopenssl ocsp -issuer myissuer.crt -cert localcert.crt -url http://localhost:9000 -resp_text\n```\nYou should get a valid OCSP response. If you don't, check integration.\n### Timeline\nThe script is fast and can be used in production systems. Here is the time taken using a 2048-bit RSA key as signing key :\n\n| Architecture | CPU | RAM | Time to perform [test](#Test) |\n| --- | --- | --- | --- |\n| armv7l 32-bit | Raspberry\u003csup\u003eTM\u003c/sup\u003e | 1 Go | 0,4s from scratch and 0,12s from cache |\n| x86_64 | Intel-i5 6\u003csup\u003eth\u003c/sup\u003e generation | 16 Go | 0,2s from scratch and 0,04s from cache |\n## Script input/output\n\u003cdetails\u003e\u003csummary\u003eToggle\u003c/summary\u003e\n\n### Input\nThis software requires an OCSP request in binary form from the socket client. A request look like this (**in base64 format**), the binary form (DER format) is not human-readable but is the one needed :\n```\nMHoweDBRME8wTTAJBgUrDgMCGgUABBRGf2x685RgF9qF4azpunF6LM75OQQUwX3C7a+au9Af8tx/\ntcfCxFkwR68CFAlOMV+mrbm8PqIFZKeyLubrqlXgoiMwITAfBgkrBgEFBQcwAQIEEgQQkcDcDZCP\nzGR57CNCnt6eKg==\n```\nYou can use `openssl ocsp -reqin file -req_text` to verify the format, which will give you something like this :\n```\nOCSP Request Data:\n    Version: 1 (0x0)\n    Requestor List:\n        Certificate ID:\n          Hash Algorithm: sha1\n          Issuer Name Hash: 467F6C7AF3946017DA85E1ACE9BA717A2CCEF939\n          Issuer Key Hash: C17DC2EDAF9ABBD01FF2DC7FB5C7C2C4593047AF\n          Serial Number: 094E315FA6ADB9BC3EA20564A7B22EE6EBAA55E0\n    Request Extensions:\n        OCSP Nonce:\n            041091C0DC0D908FCC6479EC23429EDE9E2A\n```\n### Output\nThe software will give a binary file which is the OCSP response in DER format, just as before, the base64 form :\n```\nMIIB1woBAKCCAdAwggHMBgkrBgEFBQcwAQEEggG9MIIBuTCBoqIWBBTBfcLtr5q70B/y3H+1x8LE\nWTBHrxgPMjAyMjEyMjkxMzE5MDlaMHcwdTBNMAkGBSsOAwIaBQAEFEZ/bHrzlGAX2oXhrOm6cXos\nzvk5BBTBfcLtr5q70B/y3H+1x8LEWTBHrwIUCU4xX6atubw+ogVkp7Iu5uuqVeCAABgPMjAyMjEy\nMjkxMzE5MDlaoBEYDzIwMjIxMjMwMTMxOTA4WjANBgkqhkiG9w0BAQsFAAOCAQEAkIg1jf1Y5gm2\nFB0eAdgfP5/h0CddJBYyD0p8SvwXdTTU+Uee+7zUhTwNzq3omosSLMgJ2yEjEv/vai4XgvCeJ+uL\nvhMZADzgmifNw/58o94F7RbY9t9XoKhioS9tN0QT/y7Gzyz16vD+vYYqkW8Pvb6ueRL5A3QUARUz\neUZoU24omksxF3smVbCzM8czBAre5ydejKDS6GjnMcTZqg+GggVYJMS7ZocHVbwVRv75xFo+M/7P\ncg78TNJ+KtrUOJFWYaJOOZhUleBaSmg8AW9rsZuLl98pexghCwEb9hh1mfkSUWpvRJFyVC7xblQa\nJvLu5tc1TJLKtYP5uUrRmDEufA==\n```\nYou can use `openssl ocsp -respin file -resp_text` to verify the format, which will give you something like this :\n```\nOCSP Response Data:\n    OCSP Response Status: successful (0x0)\n    Response Type: Basic OCSP Response\n    Version: 1 (0x0)\n    Responder Id: C17DC2EDAF9ABBD01FF2DC7FB5C7C2C4593047AF\n    Produced At: Dec 29 13:19:09 2022 GMT\n    Responses:\n    Certificate ID:\n      Hash Algorithm: sha1\n      Issuer Name Hash: 467F6C7AF3946017DA85E1ACE9BA717A2CCEF939\n      Issuer Key Hash: C17DC2EDAF9ABBD01FF2DC7FB5C7C2C4593047AF\n      Serial Number: 094E315FA6ADB9BC3EA20564A7B22EE6EBAA55E0\n    Cert Status: good\n    This Update: Dec 29 13:19:09 2022 GMT\n    Next Update: Dec 30 13:19:08 2022 GMT\n\n    Signature Algorithm: sha256WithRSAEncryption\n         90:88:35:8d:fd:58:e6:09:b6:14:1d:1e:01:d8:1f:3f:9f:e1:\n         d0:27:5d:24:16:32:0f:4a:7c:4a:fc:17:75:34:d4:f9:47:9e:\n         fb:bc:d4:85:3c:0d:ce:ad:e8:9a:8b:12:2c:c8:09:db:21:23:\n         12:ff:ef:6a:2e:17:82:f0:9e:27:eb:8b:be:13:19:00:3c:e0:\n         9a:27:cd:c3:fe:7c:a3:de:05:ed:16:d8:f6:df:57:a0:a8:62:\n         a1:2f:6d:37:44:13:ff:2e:c6:cf:2c:f5:ea:f0:fe:bd:86:2a:\n         91:6f:0f:bd:be:ae:79:12:f9:03:74:14:01:15:33:79:46:68:\n         53:6e:28:9a:4b:31:17:7b:26:55:b0:b3:33:c7:33:04:0a:de:\n         e7:27:5e:8c:a0:d2:e8:68:e7:31:c4:d9:aa:0f:86:82:05:58:\n         24:c4:bb:66:87:07:55:bc:15:46:fe:f9:c4:5a:3e:33:fe:cf:\n         72:0e:fc:4c:d2:7e:2a:da:d4:38:91:56:61:a2:4e:39:98:54:\n         95:e0:5a:4a:68:3c:01:6f:6b:b1:9b:8b:97:df:29:7b:18:21:\n         0b:01:1b:f6:18:75:99:f9:12:51:6a:6f:44:91:72:54:2e:f1:\n         6e:54:1a:26:f2:ee:e6:d7:35:4c:92:ca:b5:83:f9:b9:4a:d1:\n         98:31:2e:7c\n```\n\n\u003c/details\u003e\n\n## License\n* GPL 3.0\n\n\u003e OCSP Server - OCSP responder in Rust\n\u003e Copyright (C) 2023 DorianCoding\n\u003e\n\u003e This program is free software: you can redistribute it and/or modify\n\u003e it under the terms of the GNU General Public License as published by\n\u003e the Free Software Foundation, under version 3 of the License only.\n\u003e\n\u003e This program is distributed in the hope that it will be useful,\n\u003e but WITHOUT ANY WARRANTY; without even the implied warranty of\n\u003e MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n\u003e GNU General Public License for more details.\n\u003e\n\u003e You should have received a copy of the GNU General Public License\n\u003e along with this program.  If not, see \u003chttps://www.gnu.org/licenses/\u003e.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdoriancoding%2Focsp-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdoriancoding%2Focsp-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdoriancoding%2Focsp-server/lists"}