{"id":20721073,"url":"https://github.com/wackysysadmin/ocsp-responder-container","last_synced_at":"2026-03-10T17:01:55.125Z","repository":{"id":243287643,"uuid":"812011788","full_name":"wackysysadmin/ocsp-responder-container","owner":"wackysysadmin","description":"This is a containerised version of OpenSSL's OCSP web responder.","archived":false,"fork":false,"pushed_at":"2024-12-29T13:50:20.000Z","size":55,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-11T08:16:47.827Z","etag":null,"topics":["certificates","crl","ocsp","openssl","openssl-certs","openssl-extension","responder","security"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wackysysadmin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-07T19:07:10.000Z","updated_at":"2024-12-29T13:50:23.000Z","dependencies_parsed_at":"2024-06-07T20:43:55.720Z","dependency_job_id":"31bd2eb1-5497-4a94-ad94-84b1c36a6c75","html_url":"https://github.com/wackysysadmin/ocsp-responder-container","commit_stats":null,"previous_names":["wackysysadmin/ocsp-server-container"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/wackysysadmin/ocsp-responder-container","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wackysysadmin%2Focsp-responder-container","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wackysysadmin%2Focsp-responder-container/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wackysysadmin%2Focsp-responder-container/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wackysysadmin%2Focsp-responder-container/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wackysysadmin","download_url":"https://codeload.github.com/wackysysadmin/ocsp-responder-container/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wackysysadmin%2Focsp-responder-container/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30343730,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-10T15:55:29.454Z","status":"ssl_error","status_checked_at":"2026-03-10T15:54:58.440Z","response_time":106,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificates","crl","ocsp","openssl","openssl-certs","openssl-extension","responder","security"],"created_at":"2024-11-17T03:25:14.593Z","updated_at":"2026-03-10T17:01:55.082Z","avatar_url":"https://github.com/wackysysadmin.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Containerised / Dockerised OCSP Responder\n[![Build Container](https://github.com/wackysysadmin/ocsp-responder-container/actions/workflows/build-container.yml/badge.svg)](https://github.com/wackysysadmin/ocsp-responder-container/actions/workflows/build-container.yml)\n\nThis is a containerised version of the OCSP web responder built into OpenSSL.\n\nHad built this to add onto my certificates primarily to remove the warning on Microsoft's Terminal Services Client about being unable to validate the certificate against a responder when RDP'ing onto a server.\n\nhttps://hub.docker.com/repository/docker/wackysysadmin/ocsp-responder/\n\n\u003ch1\u003ePrerequisites\u003c/h1\u003e\nThis container relies on already having the following:\n\n* A working CA and/or intermediate server (Useful Guide: https://jamielinux.com/docs/openssl-certificate-authority/index.html, \u003ca href=https://bounca.org/\u003eBounCA\u003c/a\u003e, \u003ca href=https://lab-ca.net/\u003eLabCA\u003c/a\u003e etc)\n* An index file containing a list of current valid/revoked/expired certificates. (Otherwise known as the 'database' file in OpenSSL terminology)\n* The public certificate of your root CA, or chain of the root CA and intermediate.\n* An OCSP signing keypair from your root CA or intermediate. (Guide: https://bhashineen.medium.com/create-your-own-ocsp-server-ffb212df8e63)\n\n\u003ch1\u003eRunning the container\u003c/h1\u003e\n\u003ch2\u003eEnvironment Variables\u003c/h2\u003e\n\nThe following variables are file locations relative to the container.\n\n* OCSP_INT_PORT: \"2560\" # OCSP mounting port internal to the container.\n* INDEX_FILE: \"/data/index.txt\" # The database file of the CA.\n* CA_FILE: \"/data/ca-chain.cert.pem\" # The CA or CA and intermediate public chain certificate.\n* OCSP_CERT_FILE: \"/data/ocsp.pem\" # OCSP public certificate signed by the root CA or intermediate.\n* OCSP_KEY_FILE: \"/data/ocsp.key\" # OCSP private key.\n* OCSP_LOG_FILE: \"/data/ocsp.log\" # OCSP process's output log file, HTTP access logs and responses. The container will generate this logfile.\n\n\u003ch2\u003eUsing Docker Compose\u003c/h2\u003e\nCreate a docker-compose.yml file with the contents of https://github.com/wackysysadmin/ocsp-responder-container/blob/main/docker-compose.yml.\n\n\nModify the volume path to the path of your files.\n\nBring up the OCSP responder server:\n```\ndocker compose up -d\n```\n\n```\ndocker logs ocsp-responder\nACCEPT 0.0.0.0:2560 PID=1\nocsp: waiting for OCSP client connections...\n```\n\nCertificates can now be signed by defining your OCSP's FQDN. Example configuration: authorityInfoAccess = OCSP;URI:http://ocsp.hostname.foo:2560\n\n\u003ch2\u003eReverse Proxy/HTTPS Support\u003c/h2\u003e\nThe OCSP responder server can be put behind a reverse proxy such as Caddy/NGINX/Traefik.\n\nThis can be done by using a method of your choice, if you append a reverse proxy onto the Docker Compose file or if the reverse proxy server is on the same container bridge network you can specify http://ocsp-responder:2560 as the proxy upstream address.\n\nServing an OCSP responder over HTTPS \u003ca href=https://datatracker.ietf.org/doc/html/rfc5280#section-8\u003eisn't a requirement\u003c/a\u003e but is certainly possible, as mentioned in the wider community OCSP requirements on CA/Intermediate certificates can cause issues, using them on issued server/client certificates from them should be fine. \n\n\u003ch2\u003eBuilding the container from scratch\u003c/h2\u003e\nThe container can be built manually, it is only an Alpine image with OpenSSL and CMD values set.\n\nEnter a directory and create a Dockerfile with the contents from \u003ca href=https://github.com/wackysysadmin/ocsp-responder-container/blob/main/Dockerfile\u003ehere\u003c/a\u003e.\n\nCreate the container using build command:\n```\ndocker build -t ocsp-responder:latest .\n```\n\u003ch1\u003eKnown issues\u003c/h1\u003e\n\n* All files can be direct mounted into the container, however the index/database file must be in a mounted folder.\nThis is due to Docker mounting the file as it is at the time. If there are changes to the index it will not be reflected unless the container gets restarted. For my use case I created an ocsp folder then changed my openssl.cnf to save changes to an index.txt in the ocsp folder.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwackysysadmin%2Focsp-responder-container","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwackysysadmin%2Focsp-responder-container","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwackysysadmin%2Focsp-responder-container/lists"}