Create OCSP Certs and OCSP Responder for Testing

This is a very simple docker wrapper around openssl to give a basic CA and OCSP responder.

1. Private CA and intermediate cert will be created
2. Listen on a specific port for OCSP validation
3. Create client certs and server certs (with SAN wildcard)
4. Validate a cert
5. Revoke a cert

NOTE: This will just create certs for testing and very basic openssl commands for the responder. This is for testing only.

Container Images

Container images are automatically built and published to GitHub Container Registry (GHCR) on every push to main. Images support both linux/amd64 and linux/arm64 platforms.

Available images:

• ghcr.io/redis-field-engineering/ocsp-responder:latest - Latest stable build from main branch
• ghcr.io/redis-field-engineering/ocsp-responder:main-<sha> - Specific commit builds

Running

Docker Run

Pass in a root domain for the CA and the OCSP URL you would like to have in the OCSP extension in the certificates (this will be used as the OCSP responder to validate the cert).

docker run -d --restart=always \
  -e ROOT_DOMAIN=demo.redislabs.com \
  -e OCSP_URL=http://127.0.0.1:2560 \
  --name ocsp \
  -p 2560:2560 \
  ghcr.io/redis-field-engineering/ocsp-responder:latest

Docker Compose

The container includes a built-in health check that verifies the OCSP responder is accepting connections on port 2560.

Basic docker-compose.yml:

version: '3.8'
services:
  ocsp:
    image: ghcr.io/redis-field-engineering/ocsp-responder:latest
    environment:
      - ROOT_DOMAIN=demo.redislabs.com
      - OCSP_URL=http://127.0.0.1:2560
    ports:
      - "2560:2560"
    restart: unless-stopped
    # Health check is automatically inherited from the Docker image

Check health status:

# View service status including health
docker-compose ps

# Check specific container health
docker inspect ocsp_ocsp_1 --format='{{.State.Health.Status}}'

Advanced configuration with custom health check settings:

version: '3.8'
services:
  ocsp:
    image: ghcr.io/redis-field-engineering/ocsp-responder:latest
    environment:
      - ROOT_DOMAIN=demo.redislabs.com
      - OCSP_URL=http://127.0.0.1:2560
    ports:
      - "2560:2560"
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "nc", "-z", "localhost", "2560"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 5s

  # Example service that depends on OCSP responder being healthy
  app:
    image: your-app:latest
    depends_on:
      ocsp:
        condition: service_healthy
    environment:
      - OCSP_URL=http://ocsp:2560

Creating Certs

Creating Certificates with a wildcard for a domain

Provide a certificate name and domain:

docker exec -it ocsp ./create_san_wildcard_cert cluster-1 kurt-re.demo.redislabs.com

Creating Certificates for clients or without the wildcard

docker exec -it ocsp ./create_cert client-1 client.redis

Creating a new cert

If you revoke a cert (see below) and would like to create a new cert with the same domain just call one of the create methods with a new name.

Example:

docker exec -it ocsp ./create_san_wildcard_cert cluster-2 kurt-re.demo.redislabs.com

Retrieving

Retrieve the cert using its name:

docker exec -it ocsp ./get_cert cluster-1 > /etc/opt/redislabs/cluster-1_cert.pem

You can also get the key:

docker exec -it ocsp ./get_key cluster-1 > /etc/opt/redislabs/cluster-1_key.pem

And the cert CA chain:

docker exec -it ocsp ./get_chain > /etc/opt/redislabs/ca-chain.pem

or just the intermediate:

docker exec -it ocsp ./get_cert intermediate > /etc/opt/redislabs/ca-intermediate.pem

OCSP Status

Get the OCSP response for the cert using openssl to query the OCSP responder port in the container:

openssl ocsp -CAfile ca-chain.pem -url http://127.0.0.1:2560 -issuer ca-intermediate.pem -cert cluster-1_cert.pem

Expected response:

Response verify OK
proxy.pem: good
        This Update: Jun 30 23:18:31 2022 GMT

Revoking

docker exec -it ocsp ./revoke_cert cluster-1

Health Check Monitoring

The container includes a built-in health check that tests if the OCSP responder is accepting connections.

Health check details:

• Test: Connection test on port 2560 using nc -z localhost 2560
• Interval: Every 30 seconds
• Timeout: 10 seconds
• Retries: 3 attempts before marking unhealthy
• Start period: 5 seconds after container start

Monitor health status:

# View all services with health status
docker-compose ps

# Get detailed health information
docker inspect <container_name> --format='{{json .State.Health}}' | jq

# View health check logs
docker inspect <container_name> --format='{{range .State.Health.Log}}{{.Output}}{{end}}'

# Test health check manually
docker exec <container_name> nc -z localhost 2560

Health status values:

• healthy - OCSP responder is accepting connections
• unhealthy - Port 2560 is not responding (after 3 failed attempts)
• starting - Container is starting up (within start period)

Local Development

For local development and testing, you can build the image manually:

# Build locally
docker build --no-cache -t ocsp-responder .

# Run locally built image
docker run -d --restart=always \
  -e ROOT_DOMAIN=demo.redislabs.com \
  -e OCSP_URL=http://127.0.0.1:2560 \
  --name ocsp \
  -p 2560:2560 \
  ocsp-responder

Credit

The idea and a lot of the initial scripts came from this blog post: https://ilhicas.com/2018/04/10/Creating-oscp-responder-docker.html.

I have filled in the blanks, provided openssl configs, and generally cleaned it up to work for my use cases.