Embed OCSP responder URL in certificate

certidude/config.py

@@ -67,7 +67,8 @@ REQUEST_SUBMISSION_ALLOWED = cp.getboolean("authority", "request submission allo
 CLIENT_CERTIFICATE_LIFETIME = cp.getint("signature", "client certificate lifetime")
 SERVER_CERTIFICATE_LIFETIME = cp.getint("signature", "server certificate lifetime")
 AUTHORITY_CERTIFICATE_URL = cp.get("signature", "authority certificate url")
-CERTIFICATE_CRL_URL = cp.get("signature", "revoked url")
+AUTHORITY_CRL_URL = cp.get("signature", "revoked url")
+AUTHORITY_OCSP_URL = cp.get("signature", "responder url")
 CERTIFICATE_RENEWAL_ALLOWED = cp.getboolean("signature", "renewal allowed")
 
 REVOCATION_LIST_LIFETIME = cp.getint("signature", "revocation list lifetime")

certidude/signer.py

@@ -99,6 +99,18 @@ class SignHandler(asynchat.async_chat):
                 extended_key_usage_flags.append( # OpenVPN client
                     ExtendedKeyUsageOID.CLIENT_AUTH)
 
+            aia = [
+                x509.AccessDescription(
+                    AuthorityInformationAccessOID.CA_ISSUERS,
+                    x509.UniformResourceIdentifier(config.AUTHORITY_CERTIFICATE_URL))
+            ]
+
+            if config.AUTHORITY_OCSP_URL:
+                aia.append(
+                    x509.AccessDescription(
+                        AuthorityInformationAccessOID.OCSP,
+                        x509.UniformResourceIdentifier(config.AUTHORITY_OCSP_URL)))
+
             builder = x509.CertificateBuilder(
                 ).subject_name(
                     x509.Name([common_name])
@@ -142,24 +154,7 @@ class SignHandler(asynchat.async_chat):
                         request.public_key()),
                     critical=False
                 ).add_extension(
-                    x509.AuthorityInformationAccess([
+                    x509.AuthorityInformationAccess(aia),
-                        x509.AccessDescription(
-                            AuthorityInformationAccessOID.CA_ISSUERS,
-                            x509.UniformResourceIdentifier(
-                                config.AUTHORITY_CERTIFICATE_URL)
-                        )
-                    ]),
-                    critical=False
-                ).add_extension(
-                    x509.CRLDistributionPoints([
-                        x509.DistributionPoint(
-                            full_name=[
-                                x509.UniformResourceIdentifier(
-                                    config.CERTIFICATE_CRL_URL)],
-                            relative_name=None,
-                            crl_issuer=None,
-                            reasons=None)
-                    ]),
                     critical=False
                 ).add_extension(
                     x509.AuthorityKeyIdentifier.from_issuer_public_key(
@@ -167,6 +162,20 @@ class SignHandler(asynchat.async_chat):
                     critical=False
                 )
 
+            if config.AUTHORITY_CRL_URL:
+                builder = builder.add_extension(
+                    x509.CRLDistributionPoints([
+                        x509.DistributionPoint(
+                            full_name=[
+                                x509.UniformResourceIdentifier(
+                                    config.AUTHORITY_CRL_URL)],
+                            relative_name=None,
+                            crl_issuer=None,
+                            reasons=None)
+                    ]),
+                    critical=False
+                )
+
             # OpenVPN uses CN while StrongSwan uses SAN
             if server_flags:
                 builder = builder.add_extension(

certidude/templates/server/server.conf

@@ -58,11 +58,14 @@ autosign subnets = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
 
 # Simple Certificate Enrollment Protocol enabled subnets
 scep subnets =
+;scep subnets = 0.0.0.0/0
 
 # Online Certificate Status Protocol enabled subnets
 ocsp subnets =
+;ocsp subnets = 0.0.0.0/0
 
 # Certificate Revocation lists can be accessed from anywhere by default
+;crl subnets =
 crl subnets = 0.0.0.0/0
 
 [logging]
@@ -92,10 +95,16 @@ revocation list lifetime = 24
 # URL where CA certificate can be fetched from
 authority certificate url = {{ certificate_url }}
 
-# Strongswan can be configured to automatically fetch CRL
+# Strongswan can automatically fetch CRL if
-# in that case CRL URL has to be embedded in the certificate
+# CRL distribution point extension is included in the certificate
+;revoked url =
 revoked url = {{ revoked_url }}
 
+# StrongSwan can automatically query OCSP responder if
+# AIA extension includes OCSP responder URL
+responder url =
+;responder url = {{ responder_url }}
+
 # If certificate renewal is allowed clients can request a certificate
 # for the same public key with extended lifetime
 renewal allowed = false