# @(#)(CAcert) $Id: ocspd.conf,v 1.4 2015/08/10 13:44:58 root Exp $
# OCSPD configuration file

# start with unnamed section containing global defaults
default_ocspd      = class1
dir                = /usr/local/etc/ocspd        # Where everything is kept
md                 = sha1			 # Digest to be used
pidfile            = $dir/ocspd.pid              # Main process pid
user               = ocspd
group              = ocspd
bind               = *
port               = 2560
max_req_size       = 8192
threads_num        = 10
max_timeout_secs   = 10
crl_auto_reload    = 0
crl_check_validity = 0
crl_reload_expired = yes
response           = ocsp_response
dbms               = dbms_file

[ dbms_file ]
0.ca = @class1
1.ca = @class3

[ class1 ]
ca_certificate     = $dir/certs/ca-class1.crt    # The CA certificate
ocspd_certificate  = $dir/certs/class1.crt       # The OCSP server cert
ocspd_key          = $dir/private/class1.key     # The OCSP server key
ca_url             = file://$dir/certs/ca-class1.crt
crl_url            = file://$dir/crls/revoke.pem
server_cert        = file://$dir/certs/class1.crt

[ class3 ]
ca_certificate     = $dir/certs/ca-class3.crt    # The CA certificate
ocspd_certificate  = $dir/certs/class3.crt       # The OCSP server cert
#ocspd_key         = NOT specified, because it must be identical to the
#                    key for the default ca, i.e. class1 in our case
ca_url             = file://$dir/certs/ca-class3.crt
crl_url            = file://$dir/crls/class3-revoke.pem
server_cert        = file://$dir/certs/class3.crt

[ ocsp_response ]
ocsp_add_response_keyid = yes
ocsp_add_response_certs = $dir/certs/XXX.crt      # non-existing but needed!
next_update_days        = 2
next_update_mins        = 0