We should extend httpserv to act as an OCSP server. I propose that URLs that start with /ocsp shall be handled by new OCSP server logic. I propose to add a new command line option to httpserv: --ocspsigner nickname and we should allow to specify that option multiple times, allowing a single process to provide responses for multiple CAs. I want to start with the basic scenario, where CA == OCSP signer. (We can figure out a way to support separate dedicated OCSP signer certs at a later time.) The code shall require that the NSS database contains the private keys for all specified OCSP signers.
You need to log in before you can comment on or make changes to this bug.