i've been happily using pound in front of mod_ssl-less apache,
handling all my sites & certs.
i'm hoping to deploy an OCSP responder for online/dynamic SSL
Certificate mgmt. ideally standalone, rather than as part of a larger
infrastructure (DogTag, EJBCA, OpenCA, etc), although OpenSSL's ocsp
"mini server" works, it's recommended NOT to use it for production.
seems the way-to-go is 'OCSP Stapling'
which has been added to
mod_ssl into Apache2 2.4.x trunk
relevant mod_ssl OCSP directives are (at)
i'd rather not have to re-bloat apache by enabling mod_ssl, but would
need, then, OCSP stapling support in Pound.
afaict, it's been discussed back in 2005
but went no further once challenged with:
"Please try to slow down for a moment and consider if your suggestions
are really necessary (do they add anything to the program), and if they
make sense. Are your suggestions based just on seeing the same features
in other systems, or can you show us a real need for them? Is it worth
the effort and extra complexity?"
OCSP service is no longer an uncommon application these days, and, in
fact, is oft recommended as a preferred approach to static CRL
publication etc ...
so, i'd argue, not just a "same feature as in other systems", but one
that fills/meets a current/evolving need.
possible to have added?