I just tagged v0.8 of r509 and v0.3 of r509-ocsp-responder. Here’s what’s new!
r509-validity-redis was also updated to work with the latest OCSP responder release if you’re using the redis backend.
I’ve been remiss in not mentioning this project, but along with the open source ruby certificate authority project r509 we’ve also built and released a full open source OCSP responder written in ruby. r509-ocsp-responder, as we’ve catchily named it, is designed to conform to RFC 2560 and 5019 and allow you to quickly and easily get a full OCSP responder up and running with a (relative) minimum of configuration.
r509-ocsp-responder is designed to be a “known good” responder. This means it will respond with an UNKNOWN if the responder is queried about a certificate it is unaware of even if it is configured to respond for that CA. This is in contrast to many responders, which are designed as “known bad” and will reply VALID unless the certificate is known to be revoked. We have written a redis-based validity checker (r509-validity-redis) that you can use, or you can easily write your own writer/checker backend.
If you happen to want to build an entire CA stack, we’ve got one last project (+ some middleware) for you. r509-ca-http is a RESTful interface for issuing certificates. It also works with r509-middleware-validity to automatically write issuance/revocation data to the OCSP responder’s redis DB.
We’ll be improving the documentation around these ancillary projects shortly, but feel free to dive in now (as several of you already have!).
r509 v0.6 is out. There were 39 commits encompassing the following changes from 0.5 to 0.6.
* Gemfile updated to set proper versions of supporting gems for doc generation
* Fixes to load_yaml in Config
* OCSP handling extensively refactored and most of the logic moved into the r509 OCSP responder project.
* Cert#subject_component no longer improperly upcases elements
* SAN is now supported in self-signed certificates
* Cert#san_names returns an empty array if no san_names exist
* Cert#fingerprint is now an available method
* Cert#subject_names returns a concatenation (de-duped) of CN and SANs
* General refactoring in several areas to improve code quality
* Csr now takes :san_names in constructor instead of :domains. This is more consistent
* Files renamed to lowercase to match Ruby conventions
* Cert#in_validity_range? method added
* Fixed some order dependent tests
The majority of work went into improving the OCSP codebase, which was moved into the r509-ocsp-responder project, but that’s a subject for another blog entry!
I haven’t talked about r509 here in awhile, but since v0.5 just got tagged I thought I’d plug it again. r509 is a wrapper for the OpenSSL libraries in Ruby. It’s designed to allow you to do a wide variety of certificate authority related operations (issuance, revocation, CRL generation, OCSP responses, et cetera). There are also some ancillary gems that are under active development (r509-ca-http, r509-ocsp-responder, r509-validity-redis) which will gain more documentation as these projects progress.
Check it out, file issues, fork, and contribute!