summaryrefslogtreecommitdiff
path: root/testing/hosts/winnetou
diff options
context:
space:
mode:
Diffstat (limited to 'testing/hosts/winnetou')
-rw-r--r--testing/hosts/winnetou/etc/apache2/httpd.conf1103
-rw-r--r--testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf37
-rw-r--r--testing/hosts/winnetou/etc/openssl/index.txt1
-rw-r--r--testing/hosts/winnetou/etc/openssl/index.txt.old1
-rw-r--r--testing/hosts/winnetou/etc/openssl/newcerts/13.pem26
-rwxr-xr-xtesting/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi11
-rw-r--r--testing/hosts/winnetou/etc/openssl/ocspCert-self.pem26
-rw-r--r--testing/hosts/winnetou/etc/openssl/ocspKey-self.pem27
-rw-r--r--testing/hosts/winnetou/etc/openssl/openssl.cnf5
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/index.txt1
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/index.txt.old1
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/newcerts/03.pem26
-rwxr-xr-xtesting/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi11
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/ocspCert.pem26
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/ocspKey.pem27
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/openssl.cnf2
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/serial2
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/serial.old2
-rw-r--r--testing/hosts/winnetou/etc/openssl/sales/index.txt1
-rw-r--r--testing/hosts/winnetou/etc/openssl/sales/index.txt.old1
-rw-r--r--testing/hosts/winnetou/etc/openssl/sales/newcerts/03.pem26
-rwxr-xr-xtesting/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi11
-rw-r--r--testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem26
-rw-r--r--testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem27
-rw-r--r--testing/hosts/winnetou/etc/openssl/sales/openssl.cnf2
-rw-r--r--testing/hosts/winnetou/etc/openssl/sales/serial2
-rw-r--r--testing/hosts/winnetou/etc/openssl/sales/serial.old2
-rw-r--r--testing/hosts/winnetou/etc/openssl/serial2
-rw-r--r--testing/hosts/winnetou/etc/openssl/serial.old2
-rwxr-xr-xtesting/hosts/winnetou/etc/openssl/start-ocsp20
30 files changed, 1427 insertions, 30 deletions
diff --git a/testing/hosts/winnetou/etc/apache2/httpd.conf b/testing/hosts/winnetou/etc/apache2/httpd.conf
new file mode 100644
index 000000000..41c74453a
--- /dev/null
+++ b/testing/hosts/winnetou/etc/apache2/httpd.conf
@@ -0,0 +1,1103 @@
+#
+# This is a modification of the default Apache 2 configuration
+# file by Gentoo Linux. .... [insert more]
+#
+# Support:
+# http://www.gentoo.org/main/en/lists.xml [mailing lists]
+# http://forums.gentoo.org/ [web forums]
+#
+# Bug Reports:
+# http://bugs.gentoo.org/ [gentoo related bugs]
+# http://bugs.apache.org/ [apache httpd related bugs]
+
+#
+#
+#
+# Based upon the NCSA server configuration files originally by Rob McCool.
+#
+# This is the main Apache server configuration file. It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs/2.0/> for detailed information about
+# the directives.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
+#
+# The configuration directives are grouped into three basic sections:
+# 1. Directives that control the operation of the Apache server process as a
+# whole (the 'global environment').
+# 2. Directives that define the parameters of the 'main' or 'default' server,
+# which responds to requests that aren't handled by a virtual host.
+# These directives also provide default values for the settings
+# of all virtual hosts.
+# 3. Settings for virtual hosts, which allow Web requests to be sent to
+# different IP addresses or hostnames and have them handled by the
+# same Apache server process.
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path. If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
+# with ServerRoot set to "/usr/lib/apache2" will be interpreted by the
+# server as "/usr/lib/apache2/logs/foo.log".
+#
+
+### Section 1: Global Environment
+#
+# The directives in this section affect the overall operation of Apache,
+# such as the number of concurrent requests it can handle or where it
+# can find its configuration files.
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE! If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the LockFile documentation (available
+# at <URL:http://httpd.apache.org/docs/2.0/mod/mpm_common.html#lockfile>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+ServerRoot "/usr/lib/apache2"
+
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+#LockFile "/var/run/apache2.lock"
+
+#
+# ScoreBoardFile: File used to store internal server process information.
+# If unspecified (the default), the scoreboard will be stored in an
+# anonymous shared memory segment, and will be unavailable to third-party
+# applications.
+# If specified, ensure that no two invocations of Apache share the same
+# scoreboard file. The scoreboard file MUST BE STORED ON A LOCAL DISK.
+#
+<IfModule !perchild.c>
+ #ScoreBoardFile /var/run/apache2_runtime_status
+</IfModule>
+
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+#
+PidFile "/var/run/apache2.pid"
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 15
+
+##
+## Server-Pool Size Regulation (MPM specific)
+##
+
+# prefork MPM [DEFAULT IF USE=-threads]
+# StartServers: number of server processes to start
+# MinSpareServers: minimum number of server processes which are kept spare
+# MaxSpareServers: maximum number of server processes which are kept spare
+# MaxClients: maximum number of server processes allowed to start
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule prefork.c>
+ StartServers 5
+ MinSpareServers 5
+ MaxSpareServers 10
+ MaxClients 150
+ MaxRequestsPerChild 0
+</IfModule>
+
+# worker MPM [DEFAULT IF USE=threads]
+# StartServers: initial number of server processes to start
+# MaxClients: maximum number of simultaneous client connections
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule worker.c>
+ StartServers 2
+ MaxClients 150
+ MinSpareThreads 25
+ MaxSpareThreads 75
+ ThreadsPerChild 25
+ MaxRequestsPerChild 0
+</IfModule>
+
+# perchild MPM [THIS MPM IS NOT SUPPORTED]
+# NumServers: constant number of server processes
+# StartThreads: initial number of worker threads in each server process
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# MaxThreadsPerChild: maximum number of worker threads in each server process
+# MaxRequestsPerChild: maximum number of connections per server process
+<IfModule perchild.c>
+ NumServers 5
+ StartThreads 5
+ MinSpareThreads 5
+ MaxSpareThreads 10
+ MaxThreadsPerChild 20
+ MaxRequestsPerChild 0
+</IfModule>
+
+# peruser MPM [THIS MPM IS NOT SUPPORTED]
+# MinSpareServers - Minimum number of idle children, to handle request spikes
+# MaxClients - Maximum number of children alive at the same time
+# MaxProcessors - Maximum number of processors per vhost
+# Multiplexer - Specify an Multiplexer Child configuration.
+# Processor - Specify a User and Group for a specific child process.
+# ServerEnvironment - Specify the server environment for this virtual host.
+<IfModule peruser.c>
+ ServerLimit 256
+ MaxClients 256
+ MinSpareProcessors 2
+ MaxProcessors 10
+ MaxRequestsPerChild 1000
+
+ # kill off idle processors after this many seconds
+ # set to 0 to disable
+ ExpireTimeout 1800
+
+ Multiplexer nobody nobody
+
+ Processor apache apache
+
+ # chroot dir is optional:
+ # Processor user group /path/to/chroot
+</IfModule>
+
+# itk MPM [THIS MPM IS NOT SUPPORTED]
+# StartServers: number of server processes to start
+# MinSpareServers: minimum number of server processes which are kept spare
+# MaxSpareServers: maximum number of server processes which are kept spare
+# MaxClients: maximum number of server processes allowed to start
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule itk.c>
+ StartServers 5
+ MinSpareServers 2
+ MaxSpareServers 10
+ MaxClients 150
+ MaxRequestsPerChild 1000
+</IfModule>
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the <VirtualHost>
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to
+# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
+#
+#Listen 12.34.56.78:80
+Listen 80
+Listen 8880
+Listen 8881
+Listen 8882
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Statically compiled modules (those listed by `httpd -l') do not need
+# to be loaded here.
+#
+# The following modules are considered as the default configuration.
+# If you wish to disable one of them, you may have to alter other
+# configuration directives.
+#
+# You should always leave these three, as they are needed for normal use.
+# mod_access (Order, Allow, etc..)
+# mod_log_config (Transferlog, etc..)
+# mod_mime (AddType, etc...)
+#
+# Example:
+# LoadModule foo_module modules/mod_foo.so
+
+
+# Authentication Modules
+#
+# These modules provide authentication and authorization for
+# clients. They should not normally be disabled.
+#
+LoadModule access_module modules/mod_access.so
+LoadModule auth_module modules/mod_auth.so
+LoadModule auth_anon_module modules/mod_auth_anon.so
+LoadModule auth_dbm_module modules/mod_auth_dbm.so
+LoadModule auth_digest_module modules/mod_auth_digest.so
+
+#
+# Metadata Modules
+#
+# These modules provide extra data to clients about
+# a file, such as the mime-type or charset.
+#
+LoadModule charset_lite_module modules/mod_charset_lite.so
+LoadModule env_module modules/mod_env.so
+LoadModule expires_module modules/mod_expires.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule negotiation_module modules/mod_negotiation.so
+LoadModule setenvif_module modules/mod_setenvif.so
+
+#
+# Logging Modules
+#
+# These modules provide logging services for Apache
+#
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule logio_module modules/mod_logio.so
+
+
+#
+# CGI Modules
+#
+# These modules provide the ability to execute CGI Scripts.
+#
+LoadModule cgi_module modules/mod_cgi.so
+LoadModule cgid_module modules/mod_cgid.so
+
+
+#
+# This `suexec` module provides the ability to exeucte CGI scripts under
+# a different user than apache is run.
+#
+LoadModule suexec_module modules/mod_suexec.so
+
+
+#
+# Mappers
+#
+# These Modules provide URL mappings or translations.
+LoadModule alias_module modules/mod_alias.so
+LoadModule rewrite_module modules/mod_rewrite.so
+<IfDefine USERDIR>
+ LoadModule userdir_module modules/mod_userdir.so
+</IfDefine>
+
+
+#
+# Handlers
+#
+# These modules create content for a client.
+#
+<IfDefine INFO>
+ LoadModule info_module modules/mod_info.so
+ LoadModule status_module modules/mod_status.so
+</IfDefine>
+LoadModule actions_module modules/mod_actions.so
+LoadModule autoindex_module modules/mod_autoindex.so
+LoadModule dir_module modules/mod_dir.so
+
+#
+# Filters
+#
+# These modules provide filters for Apache.
+# They preform common tasks like gzip encoding or SSI
+#
+#
+LoadModule ext_filter_module modules/mod_ext_filter.so
+LoadModule deflate_module modules/mod_deflate.so
+LoadModule include_module modules/mod_include.so
+
+
+#
+# Cache Modules
+#
+# The following modules are used for storing a cache of
+# generated or proxied content.
+#
+#LoadModule cache_module modules/mod_cache.so
+#LoadModule disk_cache_module modules/mod_disk_cache.so
+#LoadModule mem_cache_module modules/mod_mem_cache.so
+#LoadModule file_cache_module modules/mod_file_cache.so
+
+#
+# Proxy Modules
+#
+# The following modules are only needed if you are running
+# Apache as a Forward or Reverse Proxy.
+#
+# WARNING: Enabling these modules can be dangerous!
+# READ THE DOCUMENTATION FIRST:
+# http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
+<IfDefine PROXY>
+ LoadModule proxy_module modules/mod_proxy.so
+ LoadModule proxy_connect_module modules/mod_proxy_connect.so
+ LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
+ LoadModule proxy_http_module modules/mod_proxy_http.so
+</IfDefine>
+
+#
+# Uncommon Modules
+#
+# The following Modules are not commonly loaded for Apache
+#
+#LoadModule case_filter_module modules/mod_case_filter.so
+#LoadModule case_filter_in_module modules/mod_case_filter_in.so
+#LoadModule echo_module modules/mod_echo.so
+#LoadModule mime_magic_module modules/mod_mime_magic.so
+#LoadModule speling_module modules/mod_speling.so
+#LoadModule unique_id_module modules/mod_unique_id.so
+#LoadModule vhost_alias_module modules/mod_vhost_alias.so
+
+#
+# Obsolete Modules
+#
+# The Following modules are not commonly needed and use
+# obsolete technologies.
+#
+#LoadModule cern_meta_module modules/mod_cern_meta.so
+#LoadModule imap_module modules/mod_imap.so
+#LoadModule usertrack_module modules/mod_usertrack.so
+#LoadModule asis_module modules/mod_asis.so
+
+
+#
+# Extra Modules
+#
+# We Include extra .conf files from /etc/apache2/modules.d
+# This is used to load things like PHP and mod_ssl.
+#
+Include /etc/apache2/modules.d/*.conf
+
+### Section 2: 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# <VirtualHost> definition. These values also provide defaults for
+# any <VirtualHost> containers you may define later in the file.
+#
+# All of these directives may appear inside <VirtualHost> containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
+# . On HPUX you may not be able to use shared memory as nobody, and the
+# suggested workaround is to create a user www and use that user.
+# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
+# when the value of (unsigned)Group is above 60000;
+# don't use Group #-1 on these systems!
+#
+User apache
+Group apache
+
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed. This address appears on some server-generated pages, such
+# as error documents. e.g. admin@your-domain.com
+#
+ServerAdmin root@localhost
+
+#
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If this is not set to valid DNS name for your host, server-generated
+# redirections will not work. See also the UseCanonicalName directive.
+#
+# If your host doesn't have a registered DNS name, enter its IP address here.
+# You will have to access it by its address anyway, and this will make
+# redirections work in a sensible way.
+#
+#ServerName localhost
+
+#
+# UseCanonicalName: Determines how Apache constructs self-referencing
+# URLs and the SERVER_NAME and SERVER_PORT variables.
+# When set "Off", Apache will use the Hostname and Port supplied
+# by the client. When set "On", Apache will use the value of the
+# ServerName directive.
+#
+UseCanonicalName Off
+
+
+#
+# Each directory to which Apache has access can be configured with respect
+# to which services and features are allowed and/or disabled in that
+# directory (and its subdirectories).
+#
+# First, we configure the "default" to be a very restrictive set of
+# features.
+#
+<Directory />
+ Options FollowSymLinks
+ AllowOverride None
+</Directory>
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# UserDir: The name of the directory that is appended onto a user's home
+# directory if a ~user request is received.
+# enable by adding -D USERDIR to /etc/conf.d/apache2
+#
+<IfModule mod_userdir.c>
+ UserDir public_html
+
+#
+# Control access to UserDir directories. The following is an example
+# for a site where these directories are restricted to read-only.
+#
+ <Directory /home/*/public_html>
+ AllowOverride FileInfo AuthConfig Limit Indexes
+ Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+ <Limit GET POST OPTIONS PROPFIND>
+ Order allow,deny
+ Allow from all
+ </Limit>
+ <LimitExcept GET POST OPTIONS PROPFIND>
+ Order deny,allow
+ Deny from all
+ </LimitExcept>
+ </Directory>
+
+
+# Enable this additional section if you would like to make use of a
+# suexec-enabled cgi-bin directory on a per-user basis.
+#
+#<Directory /home/*/public_html/cgi-bin>
+# Options ExecCGI
+# SetHandler cgi-script
+#</Directory>
+
+</IfModule>
+
+
+#
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+# The index.html.var file (a type-map) is used to deliver content-
+# negotiated documents. The MultiViews Option can be used for the
+# same purpose, but it is much slower.
+#
+DirectoryIndex index.html ocsp.cgi
+
+#
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives. See also the AllowOverride
+# directive.
+#
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+<FilesMatch "^\.ht">
+ Order allow,deny
+ Deny from all
+</FilesMatch>
+
+#
+# TypesConfig describes where the mime.types file (or equivalent) is
+# to be found.
+#
+TypesConfig /etc/mime.types
+
+#
+# DefaultType is the default MIME type the server will use for a document
+# if it cannot otherwise determine one, such as from filename extensions.
+# If your server contains mostly text or HTML documents, "text/plain" is
+# a good value. If most of your content is binary, such as applications
+# or images, you may want to use "application/octet-stream" instead to
+# keep browsers from trying to display binary files as though they are
+# text.
+#
+DefaultType text/plain
+
+#
+# The mod_mime_magic module allows the server to use various hints from the
+# contents of the file itself to determine its type. The MIMEMagicFile
+# directive tells the module where the hint definitions are located.
+#
+<IfModule mod_mime_magic.c>
+ MIMEMagicFile /etc/apache2/magic
+</IfModule>
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+#
+# EnableMMAP: Control whether memory-mapping is used to deliver
+# files (assuming that the underlying OS supports it).
+# The default is on; turn this off if you serve from NFS-mounted
+# filesystems. On some systems, turning it off (regardless of
+# filesystem) can improve performance; for details, please see
+# http://httpd.apache.org/docs/2.0/mod/core.html#enablemmap
+#
+#EnableMMAP off
+
+#
+# EnableSendfile: Control whether the sendfile kernel support is
+# used to deliver files (assuming that the OS supports it).
+# The default is on; turn this off if you serve from NFS-mounted
+# filesystems. Please see
+# http://httpd.apache.org/docs/2.0/mod/core.html#enablesendfile
+#
+#EnableSendfile off
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here. If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog logs/error_log
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive (see below).
+#
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+LogFormat "%v %h %l %u %t \"%r\" %>s %b %T" script
+LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" VLOG=%{VLOG}e" vhost
+
+# You need to enable mod_logio.c to use %I and %O
+#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+
+#
+# The location and format of the access logfile (Common Logfile Format).
+# If you do not define any access logfiles within a <VirtualHost>
+# container, they will be logged here. Contrariwise, if you *do*
+# define per-<VirtualHost> access logfiles, transactions will be
+# logged therein and *not* in this file.
+#
+CustomLog logs/access_log common
+
+#
+# If you would like to have agent and referer logfiles, uncomment the
+# following directives.
+#
+#CustomLog logs/referer_log referer
+#CustomLog logs/agent_log agent
+
+#
+# If you prefer a single logfile with access, agent, and referer information
+# (Combined Logfile Format) you can use the following directive.
+#
+#CustomLog logs/access_log combined
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of: Full | OS | Minor | Minimal | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#
+ServerTokens Prod
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of: On | Off | EMail
+#
+ServerSignature On
+
+#
+# Aliases: Add here as many aliases as you need (with no limit). The format is
+# Alias fakename realname
+#
+# Note that if you include a trailing / on fakename then the server will
+# require it to be present in the URL. So "/icons" isn't aliased in this
+# example, only "/icons/". If the fakename is slash-terminated, then the
+# realname must also be slash terminated, and if the fakename omits the
+# trailing slash, the realname must also omit it.
+#
+# We include the /icons/ alias for FancyIndexed directory listings. If you
+# do not use FancyIndexing, you may comment this out.
+#
+Alias /icons/ "/var/www/localhost/icons/"
+
+<Directory "/var/www/localhost/icons/">
+ Options Indexes MultiViews
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+</Directory>
+
+#
+# ScriptAlias: This controls which directories contain server scripts.
+# ScriptAliases are essentially the same as Aliases, except that
+# documents in the realname directory are treated as applications and
+# run by the server when requested rather than as documents sent to the client.
+# The same rules about trailing "/" apply to ScriptAlias directives as to
+# Alias.
+#
+ScriptAlias /cgi-bin/ /var/www/localhost/cgi-bin/
+
+<IfModule mod_cgid.c>
+ #
+ # Additional to mod_cgid.c settings, mod_cgid has Scriptsock <path>
+ # for setting UNIX socket for communicating with cgid.
+ #
+ #Scriptsock /var/run/cgisock
+</IfModule>
+
+#
+# "/var/www/localhost/cgi-bin/" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+<Directory "/var/www/localhost/cgi-bin/">
+ AllowOverride None
+ Options None
+ Order allow,deny
+ Allow from all
+</Directory>
+
+#
+# Redirect allows you to tell clients about documents which used to exist in
+# your server's namespace, but do not anymore. This allows you to tell the
+# clients where to look for the relocated document.
+# Example:
+# Redirect permanent /foo http://www.example.com/bar
+
+#
+# Directives controlling the display of server-generated directory listings.
+#
+<IfModule mod_autoindex.c>
+ #
+ # IndexOptions: Controls the appearance of server-generated directory
+ # listings.
+ #
+ IndexOptions FancyIndexing VersionSort
+
+ #
+ # AddIcon* directives tell the server which icon to show for different
+ # files or filename extensions. These are only displayed for
+ # FancyIndexed directories.
+ #
+ AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
+
+ AddIconByType (TXT,/icons/text.gif) text/*
+ AddIconByType (IMG,/icons/image2.gif) image/*
+ AddIconByType (SND,/icons/sound2.gif) audio/*
+ AddIconByType (VID,/icons/movie.gif) video/*
+
+ AddIcon /icons/binary.gif .bin .exe
+ AddIcon /icons/binhex.gif .hqx
+ AddIcon /icons/tar.gif .tar
+ AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+ AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+ AddIcon /icons/a.gif .ps .ai .eps
+ AddIcon /icons/layout.gif .html .shtml .htm .pdf
+ AddIcon /icons/text.gif .txt
+ AddIcon /icons/c.gif .c
+ AddIcon /icons/p.gif .pl .py
+ AddIcon /icons/f.gif .for
+ AddIcon /icons/dvi.gif .dvi
+ AddIcon /icons/uuencoded.gif .uu
+ AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+ AddIcon /icons/tex.gif .tex
+ AddIcon /icons/bomb.gif core
+
+ AddIcon /icons/back.gif ..
+ AddIcon /icons/hand.right.gif README
+ AddIcon /icons/folder.gif ^^DIRECTORY^^
+ AddIcon /icons/blank.gif ^^BLANKICON^^
+
+ #
+ # DefaultIcon is which icon to show for files which do not have an icon
+ # explicitly set.
+ #
+ DefaultIcon /icons/unknown.gif
+
+ #
+ # AddDescription allows you to place a short description after a file in
+ # server-generated indexes. These are only displayed for FancyIndexed
+ # directories.
+ # Format: AddDescription "description" filename
+ #
+ #AddDescription "GZIP compressed document" .gz
+ #AddDescription "tar archive" .tar
+ #AddDescription "GZIP compressed tar archive" .tgz
+
+ #
+ # ReadmeName is the name of the README file the server will look for by
+ # default, and append to directory listings.
+ #
+ # HeaderName is the name of a file which should be prepended to
+ # directory indexes.
+ ReadmeName README.html
+ HeaderName HEADER.html
+
+ #
+ # IndexIgnore is a set of filenames which directory indexing should ignore
+ # and not include in the listing. Shell-style wildcarding is permitted.
+ #
+ IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t .svn
+</IfModule>
+
+#
+# DefaultLanguage and AddLanguage allows you to specify the language of
+# a document. You can then use content negotiation to give a browser a
+# file in a language the user can understand.
+#
+# Specify a default language. This means that all data
+# going out without a specific language tag (see below) will
+# be marked with this one. You probably do NOT want to set
+# this unless you are sure it is correct for all cases.
+#
+# * It is generally better to not mark a page as
+# * being a certain language than marking it with the wrong
+# * language!
+#
+# DefaultLanguage nl
+#
+# Note 1: The suffix does not have to be the same as the language
+# keyword --- those with documents in Polish (whose net-standard
+# language code is pl) may wish to use "AddLanguage pl .po" to
+# avoid the ambiguity with the common suffix for perl scripts.
+#
+# Note 2: The example entries below illustrate that in some cases
+# the two character 'Language' abbreviation is not identical to
+# the two character 'Country' code for its country,
+# E.g. 'Danmark/dk' versus 'Danish/da'.
+#
+# Note 3: In the case of 'ltz' we violate the RFC by using a three char
+# specifier. There is 'work in progress' to fix this and get
+# the reference data for rfc1766 cleaned up.
+#
+# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
+# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
+# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
+# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
+# Norwegian (no) - Polish (pl) - Portugese (pt)
+# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
+# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
+#
+AddLanguage ca .ca
+AddLanguage cs .cz .cs
+AddLanguage da .dk
+AddLanguage de .de
+AddLanguage el .el
+AddLanguage en .en
+AddLanguage eo .eo
+AddLanguage es .es
+AddLanguage et .et
+AddLanguage fr .fr
+AddLanguage he .he
+AddLanguage hr .hr
+AddLanguage it .it
+AddLanguage ja .ja
+AddLanguage ko .ko
+AddLanguage ltz .ltz
+AddLanguage nl .nl
+AddLanguage nn .nn
+AddLanguage no .no
+AddLanguage pl .po
+AddLanguage pt .pt
+AddLanguage pt-BR .pt-br
+AddLanguage ru .ru
+AddLanguage sv .sv
+AddLanguage zh-CN .zh-cn
+AddLanguage zh-TW .zh-tw
+
+#
+# LanguagePriority allows you to give precedence to some languages
+# in case of a tie during content negotiation.
+#
+# Just list the languages in decreasing order of preference. We have
+# more or less alphabetized them here. You probably want to change this.
+#
+LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW
+
+#
+# ForceLanguagePriority allows you to serve a result page rather than
+# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
+# [in case no accepted languages matched the available variants]
+#
+ForceLanguagePriority Prefer Fallback
+
+#
+# Commonly used filename extensions to character sets. You probably
+# want to avoid clashes with the language extensions, unless you
+# are good at carefully testing your setup after each change.
+# See http://www.iana.org/assignments/character-sets for the
+# official list of charset names and their respective RFCs.
+#
+AddCharset ISO-8859-1 .iso8859-1 .latin1
+AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
+AddCharset ISO-8859-3 .iso8859-3 .latin3
+AddCharset ISO-8859-4 .iso8859-4 .latin4
+AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
+AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
+AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
+AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
+AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
+AddCharset ISO-2022-JP .iso2022-jp .jis
+AddCharset ISO-2022-KR .iso2022-kr .kis
+AddCharset ISO-2022-CN .iso2022-cn .cis
+AddCharset Big5 .Big5 .big5
+# For russian, more than one charset is used (depends on client, mostly):
+AddCharset WINDOWS-1251 .cp-1251 .win-1251
+AddCharset CP866 .cp866
+AddCharset KOI8-r .koi8-r .koi8-ru
+AddCharset KOI8-ru .koi8-uk .ua
+AddCharset ISO-10646-UCS-2 .ucs2
+AddCharset ISO-10646-UCS-4 .ucs4
+AddCharset UTF-8 .utf8
+
+# The set below does not map to a specific (iso) standard
+# but works on a fairly wide range of browsers. Note that
+# capitalization actually matters (it should not, but it
+# does for some browsers).
+#
+# See http://www.iana.org/assignments/character-sets
+# for a list of sorts. But browsers support few.
+#
+AddCharset GB2312 .gb2312 .gb
+AddCharset utf-7 .utf7
+AddCharset utf-8 .utf8
+AddCharset big5 .big5 .b5
+AddCharset EUC-TW .euc-tw
+AddCharset EUC-JP .euc-jp
+AddCharset EUC-KR .euc-kr
+AddCharset shift_jis .sjis
+
+#
+# AddType allows you to add to or override the MIME configuration
+# file mime.types for specific file types.
+#
+#AddType application/x-tar .tgz
+#
+# AddEncoding allows you to have certain browsers uncompress
+# information on the fly. Note: Not all browsers support this.
+# Despite the name similarity, the following Add* directives have nothing
+# to do with the FancyIndexing customization directives above.
+#
+#AddEncoding x-compress .Z
+#AddEncoding x-gzip .gz .tgz
+#
+# If the AddEncoding directives above are commented-out, then you
+# probably should define those extensions to indicate media types:
+#
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+
+#
+# AddHandler allows you to map certain file extensions to "handlers":
+# actions unrelated to filetype. These can be either built into the server
+# or added with the Action directive (see below)
+#
+# To use CGI scripts outside of ScriptAliased directories:
+# (You will also need to add "ExecCGI" to the "Options" directive.)
+#
+AddHandler cgi-script .cgi
+
+#
+# For files that include their own HTTP headers:
+#
+#AddHandler send-as-is asis
+
+#
+# For server-parsed imagemap files:
+#
+#AddHandler imap-file map
+
+#
+# For type maps (negotiated resources):
+# (This is enabled by default to allow the Apache "It Worked" page
+# to be distributed in multiple languages.)
+#
+AddHandler type-map var
+
+#
+# Filters allow you to process content before it is sent to the client.
+#
+# To parse .shtml files for server-side includes (SSI):
+# (You will also need to add "Includes" to the "Options" directive.)
+#
+#AddType text/html .shtml
+#AddOutputFilter INCLUDES .shtml
+
+#
+# Action lets you define media types that will execute a script whenever
+# a matching file is called. This eliminates the need for repeated URL
+# pathnames for oft-used CGI file processors.
+# Format: Action media/type /cgi-script/location
+# Format: Action handler-name /cgi-script/location
+#
+
+#
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
+#
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+#
+
+#
+# Putting this all together, we can internationalize error responses.
+#
+# We use Alias to redirect any /error/HTTP_<error>.html.var response to
+# our collection of by-error message multi-language collections. We use
+# includes to substitute the appropriate text.
+#
+# You can modify the messages' appearance without changing any of the
+# default HTTP_<error>.html.var files by adding the line:
+#
+# Alias /error/include/ "/your/include/path/"
+#
+# which allows you to create your own set of files by starting with the
+# /var/www/localhost/error/include files and copying them to /your/includepath/
+# even on a per-VirtualHost basis. The default include files will display
+# your Apache version number and your ServerAdmin email address regardless
+# of the setting of ServerSignature.
+#
+# The internationalized error documents require mod_alias, mod_include
+# and mod_negotiation. To activate them, uncomment the following 30 lines.
+
+# Alias /error/ "/var/www/localhost/error/"
+#
+# <Directory "/var/www/localhost/error">
+# AllowOverride None
+# Options IncludesNoExec
+# AddOutputFilter Includes html
+# AddHandler type-map var
+# Order allow,deny
+# Allow from all
+# LanguagePriority en cs de es fr it nl sv pt-br ro
+# ForceLanguagePriority Prefer Fallback
+# </Directory>
+#
+# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
+# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
+# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
+# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
+# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
+# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
+# ErrorDocument 410 /error/HTTP_GONE.html.var
+# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
+# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
+# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
+# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
+# ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
+# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
+# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
+# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
+# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
+# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
+
+
+#
+# The following directives modify normal HTTP response behavior to
+# handle known problems with browser implementations.
+#
+BrowserMatch "Mozilla/2" nokeepalive
+BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+BrowserMatch "RealPlayer 4\.0" force-response-1.0
+BrowserMatch "Java/1\.0" force-response-1.0
+BrowserMatch "JDK/1\.0" force-response-1.0
+
+#
+# The following directive disables redirects on non-GET requests for
+# a directory that does not include the trailing slash. This fixes a
+# problem with Microsoft WebFolders which does not appropriately handle
+# redirects for folders with DAV methods.
+# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
+#
+BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+BrowserMatch "MS FrontPage" redirect-carefully
+BrowserMatch "^WebDrive" redirect-carefully
+BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
+BrowserMatch "^gnome-vfs" redirect-carefully
+BrowserMatch "^XML Spy" redirect-carefully
+BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
+
+#
+# Allow server status reports generated by mod_status,
+# with the URL of http://servername/server-status
+# Change the ".example.com" to match your domain to enable.
+#
+<IfDefine INFO>
+ ExtendedStatus On
+ <Location /server-status>
+ SetHandler server-status
+ Order deny,allow
+ Deny from all
+ Allow from localhost
+ </Location>
+</IfDefine>
+
+#
+# Allow remote server configuration reports, with the URL of
+# http://localhost/server-info (This is useful for debugging)
+#
+<IfDefine INFO>
+ <Location /server-info>
+ SetHandler server-info
+ Order deny,allow
+ Deny from all
+ Allow from localhost
+ </Location>
+</IfDefine>
+
+
+#
+# Gentoo VHosts
+#
+# For Gentoo we include External Virtual Hosts Files.
+# Please see vhosts.d/00_default_vhost.conf for the default virtual host.
+#
+Include /etc/apache2/vhosts.d/*.conf
diff --git a/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf b/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf
new file mode 100644
index 000000000..c97c30936
--- /dev/null
+++ b/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf
@@ -0,0 +1,37 @@
+# OCSP Server
+
+<VirtualHost *:8880>
+ ServerAdmin root@strongswan.org
+ DocumentRoot /etc/openssl/ocsp
+ ServerName ocsp.strongswan.org
+ ServerAlias 192.168.0.150
+ <Directory "/etc/openssl/ocsp">
+ Options +ExecCGI
+ </Directory>
+ ErrorLog /var/log/apache2/ocsp/error_log
+ CustomLog /var/log/apache2/ocsp/access_log combined
+</VirtualHost>
+
+<VirtualHost *:8881>
+ ServerAdmin root@research.strongswan.org
+ DocumentRoot /etc/openssl/research/ocsp
+ ServerName ocsp.research.strongswan.org
+ ServerAlias ocsp.strongswan.org 192.168.0.150
+ <Directory "/etc/openssl/research/ocsp">
+ Options +ExecCGI
+ </Directory>
+ ErrorLog /var/log/apache2/ocsp/error_log
+ CustomLog /var/log/apache2/ocsp/access_log combined
+</VirtualHost>
+
+<VirtualHost *:8882>
+ ServerAdmin root@sales.strongswan.org
+ DocumentRoot /etc/openssl/sales/ocsp
+ ServerName ocsp.sales.strongswan.org
+ ServerAlias ocsp.strongswan.org 192.168.0.150
+ <Directory "/etc/openssl/sales/ocsp">
+ Options +ExecCGI
+ </Directory>
+ ErrorLog /var/log/apache2/ocsp/error_log
+ CustomLog /var/log/apache2/ocsp/access_log combined
+</VirtualHost>
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 9e744674d..12025d75c 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -16,3 +16,4 @@ V 100620195806Z 0F unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
V 111007105811Z 10 unknown /C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org
V 111007121250Z 11 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
V 111007122112Z 12 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
+V 120224075857Z 13 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index 4d7201a35..9e744674d 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -15,3 +15,4 @@ V 100607191714Z 0E unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
V 100620195806Z 0F unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
V 111007105811Z 10 unknown /C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org
V 111007121250Z 11 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
+V 111007122112Z 12 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/13.pem b/testing/hosts/winnetou/etc/openssl/newcerts/13.pem
new file mode 100644
index 000000000..aeca7e1db
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/13.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEWzCCA0OgAwIBAgIBEzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA3MDIyNTA3NTg1N1oXDTEyMDIyNDA3NTg1N1owVjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
+HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAyO4WxrPomcQSspX+ZnPit3t+tzYE/wi1E8rH3h5aO3e5
+vVZX3YxNvBqge2RPB3oQHrWwWT8vKmqzZNjJUx4bRIqd1JdTRI7L0f6XJHjnrRv8
+G7M2uHe+JbHQKPRT7IefJ4PZ1FEA8SCwKfWs5vk1/w/cabM6DVzzjtWTV9DXKD6J
+5rRlvXtJDbhAvI2w8pCC1Gt6H8qjVSb7ItJ+SD3BlW3tq3nBsYFJRL24TyQg+Kdt
+kkCRQYirog29q+J59SErjolse59dte+MhNTv+SnVFgpQE9IGEo6yaKMAWLSTv0If
+pPr/QaEV9rcsYFmR3RtHc+QaaP0hvDAPMaKdhQMIUwIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDRTWKccFIi95BslK3U92mIQ
+2rWGMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
+b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
+b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
+b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAc
+1bBYLYcc+js3UsHVk7W17Nr/qoNFzQZJ5Er3RjhNAgzAX1wOTrNgKXztwZde1Alj
+o05ZLXUFkB4coQwl7xo7I3EMJPUmSdHoyYyG7c7AgfcL/wwnzz4rWQl74WIZjySc
+ON0Ny9vrzbVboktYof/9Yp/+HgeKopfsaIiuNCAwmAWxiYqvDmlxxn16oOXeJFV8
+pFzZMirQ5l7QRD9iuabOdcnBp8ASH+5AbD4KjFQjo5RBVg92LwOkJo3Pf1twI57s
+pObrcM4JbHVohDornYQYfr9ymkMxJbqqkEgD8oIip0NFSbziam4ZkwgUlRIMUMU1
+/xsH+BXYZtKJbYjlnyc8
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
new file mode 100755
index 000000000..cb585ed08
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/openssl
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+ -rkey ocspKey.pem -rsigner ocspCert.pem \
+ -nmin 5 \
+ -reqin /dev/stdin -respout /dev/stdout
diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem b/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem
new file mode 100644
index 000000000..77f5bde52
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ
+IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu
+Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT
+AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl
+bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y
+ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM
+BFAELGmHKfg2R25aWlE8ju//I0ByaoIsm8BPapSiiiwTdho/JPP44/nvHcDQu828
+P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD
+mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ
+DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb
+UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr
+4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW
+BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt
+rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
+cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww
+GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw
+FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN
+BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ
+9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI
+zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V
+14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL
+lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v
+1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspKey-self.pem b/testing/hosts/winnetou/etc/openssl/ocspKey-self.pem
new file mode 100644
index 000000000..1af5ecdb9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ocspKey-self.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyBI4V4N1bFgoY9RJSEwEUAQsaYcp+DZHblpaUTyO7/8jQHJq
+giybwE9qlKKKLBN2Gj8k8/jj+e8dwNC7zbw/e5jldtI9mmKIGAWijwELb9j+vFj+
+ySMTOqgcReOD+87VsDS2qNWflrSOmRqLukOZTIGuafUCs6OFH8cC6kIewhvuwAv4
+gRcHIxxlArpu80v08xNgjVPvb63/1xkAAQkN8SHIlkzFAqCZPVI3MvDKzPLUzUcX
+3kPn2AGiTg9pFZawt3DOmV9MqHrUJ4YJiptQ/eqkwqsnxju6/57W9XO5hsmDkNH5
+sXUgYhz1BHImVOSFlyj7NMJBjGm+w07XzKvipwIDAQABAoIBABXLPk3yKQFjXQr6
+3fy9Ix8gRUI9kgnSx9cyinIc+akVDt7/V7DUcSbyv7ZvOkPw3sWfKURWUWcxb/lI
+A502q2eoUR6vajx+DTsoqfuP7pIBfkZAH4kDhB24oFPQo9jzP/3Q0DD2DEtbYck1
+xhDFOlbGLZynLuMopeC/SgcAqt8UAIe5AHoUdkPUZH3MqJppH+PCjhkMzreaY9wc
+mEh7tjKuItdGYt0ZmdrnQboyklMhOikn3nKOQWVINtzTLD4AsOcExPmO3m5j4m+n
+h0AGDFyxUvY/l/DH2xC1C5qu13yumesJ1irURShdwO05nrWUzqT0BH4VyJCvcZiC
+TnLhELkCgYEA6vmBxHXbh58VpJEfnXl8D01ZI7YgXHaNPb43j4GA26pd8JVYkPcQ
+TBRZYRGEYL9CT7mfssJ6yie1ZLdGn+vkKyT2LWXxbO8kvfX5lG93sFmE1oauEuug
+zau/eEh1k5fzlm6KClvFGnmMHqqxy0YMUVkAdT0Kb7PG36Bd9tDMLjsCgYEA2fkw
+p8JVIAwyWF99iubxIL9sNnjJgq2j4Rj4zjtT45ZA1LCe7L1EGhQGsP/0u5u+miX6
+GdMSzwehHVBtTl/Gkg/IjWUQbL/jILeFQM2i6hdo8BCmi8k4f6ZF/Pf+m7ZRcLb/
+opJhvhhelnxfNwxHrshohCvGpGVGvSS8xtXzuoUCgYEAmxeuwHauPNkTFvk27eD2
+sr7x/DFFMOKLHVrFH3JyFAtiT96zg5OfbSftSrWeM6Fp6mdx8jKNi4skHmMeOYYg
+px2RY6uq66T5Em0dnAzq6jpcBKEGmrRuAfK/wWvKN24POJajhGzIL05U3xT5n1sP
+3E2rkLaGge4ecRJPkw6EBmsCgYBQWhL8lJ/Ku5RHjZP7A106JDag8e/e02HJFeqK
+I8at6/KkNSOww6h6MI2y6/fsvOILcxp6MJwLY5WZ988DiDzsFRNqRCpE3Iu+wMhH
+dkarIswVSx4KA7hnHgVI1qauAgyNj3g3Ft0fNV6Q/PIgmc9G+CvHJVgJvCfSi9tn
+NPGu/QKBgExju7N5hrJUlfylwydp7X7jymHJGAac9J2+VhqWIhveCnTYrlwTcuJ6
+NqQDdBvDT0F+7fMxQ9wRglMadfnrwWh0Y7BGybzhlR4NDAAZk1GoxegWOR7HnacT
+bbHir6keeWggJgWHsRew3Yxckzqvi+vn/v3MF/wfRijzXzSAenNl
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf
index dbe31abbd..165d8bbeb 100644
--- a/testing/hosts/winnetou/etc/openssl/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf
@@ -43,7 +43,7 @@ crl_extensions = crl_ext # The extentions to add to the CRL
default_days = 1825 # how long to certify for
default_crl_days= 30 # how long before next CRL
-default_md = md5 # which md to use.
+default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
email_in_dn = no # allow/forbid EMail in DN
@@ -146,7 +146,7 @@ keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
subjectAltName = DNS:$ENV::COMMON_NAME
-#extendedKeyUsage = OCSPSigner
+#extendedKeyUsage = OCSPSigning
crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl
####################################################################
@@ -158,6 +158,7 @@ keyUsage = digitalSignature, keyEncipherment, keyAgreemen
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
subjectAltName = email:$ENV::COMMON_NAME
+#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl
####################################################################
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt
index 4bd650072..2ccf6489c 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt
@@ -1,2 +1,3 @@
V 100322070423Z 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
V 100615195710Z 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+V 120323210330Z 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
index 148bab7d6..4bd650072 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
@@ -1 +1,2 @@
V 100322070423Z 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V 100615195710Z 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/03.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/03.pem
new file mode 100644
index 000000000..279b4191d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/03.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEaDCCA1CgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDMyNTIxMDMzMFoXDTEyMDMyMzIxMDMz
+MFoweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm
+BgNVBAsTH1Jlc2VhcmNoIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxJTAjBgNVBAMT
+HG9jc3AucmVzZWFyY2guc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCuXf1wGjBk5wthfyJcNgYu5uVdK9fqB7k5Qswy76M2JjZ2
+ECv8JZMvGDC9ciKwEqL3QkN+E90RusdCqgabAl2K3AvbR4VOpaCdy31pdPaKfRXA
+TazIH0GG8T/BImWTuweFt0XmsCl65ShoVul0DHWTli4jOAgHIj6eoYlQpRI6CbZs
+qdcGZJRWzZMPa86Q3i2nKAsOiWh7jg04uLFsWu+2uBYmsPSbKqZe76FY5m+PgAwo
+h0bFJI9qy4aryvNZiFT1+t3hd/wt/ZXnqYX4WsZcGlPOlKZoiDlmXzU1K1YY71io
+HUiH7QOYBYY+8+Mc5kwt/ropYEbfLfAENC7WV+8tAgMBAAGjggEhMIIBHTAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU8xU4ukLOgkIafc7zHp5HlANw
+5/4wbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQ8wJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv
+bmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA3BgNVHR8EMDAuMCygKqAo
+hiZodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG
+9w0BAQUFAAOCAQEADH13ce0I8nXd5rjnDWck3JdBOgFMu2Wl8zpKIeLVYZnUc/Sn
+l0sULX6AIdMzKVsPh78CgsQf4tggdVCdbTURMp3SdLO5TDNlqPVMnjHjajWR+C0D
+4TQWnBz/bEg3aXGjjJlu00eXWx8kRLrOP/wMWba+SEwYDqANgmUgxpcBeg8/0Q78
+d7xEJPOPDXlO5Nh3zeVIXaDT+y2ENzgyTx9YGoAURxl5eTpBNI7dJm5fjXdGlbwj
+1vO+UprMEU6rB9BDFSfyXaXcQoIgRr0oZqvAUS/cF9LQRf4iUXCpr8Th7Wddqi2r
+qiwDZt4o+3EYtCcMEK9zKJK3KMZc9A9HPCE+RA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi
new file mode 100755
index 000000000..c193e8779
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/openssl/research
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+/usr/bin/openssl ocsp -index index.txt -CA researchCert.pem \
+ -rkey ocspKey.pem -rsigner ocspCert.pem \
+ -nmin 5 \
+ -reqin /dev/stdin -respout /dev/stdout
diff --git a/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem
new file mode 100644
index 000000000..279b4191d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEaDCCA1CgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDMyNTIxMDMzMFoXDTEyMDMyMzIxMDMz
+MFoweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm
+BgNVBAsTH1Jlc2VhcmNoIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxJTAjBgNVBAMT
+HG9jc3AucmVzZWFyY2guc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCuXf1wGjBk5wthfyJcNgYu5uVdK9fqB7k5Qswy76M2JjZ2
+ECv8JZMvGDC9ciKwEqL3QkN+E90RusdCqgabAl2K3AvbR4VOpaCdy31pdPaKfRXA
+TazIH0GG8T/BImWTuweFt0XmsCl65ShoVul0DHWTli4jOAgHIj6eoYlQpRI6CbZs
+qdcGZJRWzZMPa86Q3i2nKAsOiWh7jg04uLFsWu+2uBYmsPSbKqZe76FY5m+PgAwo
+h0bFJI9qy4aryvNZiFT1+t3hd/wt/ZXnqYX4WsZcGlPOlKZoiDlmXzU1K1YY71io
+HUiH7QOYBYY+8+Mc5kwt/ropYEbfLfAENC7WV+8tAgMBAAGjggEhMIIBHTAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU8xU4ukLOgkIafc7zHp5HlANw
+5/4wbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQ8wJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv
+bmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA3BgNVHR8EMDAuMCygKqAo
+hiZodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG
+9w0BAQUFAAOCAQEADH13ce0I8nXd5rjnDWck3JdBOgFMu2Wl8zpKIeLVYZnUc/Sn
+l0sULX6AIdMzKVsPh78CgsQf4tggdVCdbTURMp3SdLO5TDNlqPVMnjHjajWR+C0D
+4TQWnBz/bEg3aXGjjJlu00eXWx8kRLrOP/wMWba+SEwYDqANgmUgxpcBeg8/0Q78
+d7xEJPOPDXlO5Nh3zeVIXaDT+y2ENzgyTx9YGoAURxl5eTpBNI7dJm5fjXdGlbwj
+1vO+UprMEU6rB9BDFSfyXaXcQoIgRr0oZqvAUS/cF9LQRf4iUXCpr8Th7Wddqi2r
+qiwDZt4o+3EYtCcMEK9zKJK3KMZc9A9HPCE+RA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem
new file mode 100644
index 000000000..adbfe0f92
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArl39cBowZOcLYX8iXDYGLublXSvX6ge5OULMMu+jNiY2dhAr
+/CWTLxgwvXIisBKi90JDfhPdEbrHQqoGmwJditwL20eFTqWgnct9aXT2in0VwE2s
+yB9BhvE/wSJlk7sHhbdF5rApeuUoaFbpdAx1k5YuIzgIByI+nqGJUKUSOgm2bKnX
+BmSUVs2TD2vOkN4tpygLDoloe44NOLixbFrvtrgWJrD0myqmXu+hWOZvj4AMKIdG
+xSSPasuGq8rzWYhU9frd4Xf8Lf2V56mF+FrGXBpTzpSmaIg5Zl81NStWGO9YqB1I
+h+0DmAWGPvPjHOZMLf66KWBG3y3wBDQu1lfvLQIDAQABAoIBAEx5LnknE0h9yJEH
+GEPG8elKHRhC7VxX7NV/RV2lmjhahBI9v3zD4gyKmH3N/Aaq9cxpxH4cKh3nhBLp
+zSHY5LvNDGossPuwSoRKRgOlZ6ePeqWvq3LNuoh7cFG9Sz2CjqcHnWGyq06aCKHS
+VGswN7T17eBGZ8bxLvOVt0qmSxsmg2A2tmZQCAhc6IkEe3L4sqtS4N1y+8J1GSuu
+KlIuT9NtReDiXXQNxr48QJeddj6RE+5xgInUEUGPUrOnv+lllxN42u0Yrqnnci7M
+SNuxiCkYmvUm47zem3mUKrTJnr4uyKSVnzY5wKcbjebnjlaJmWefM6L7wTKYGbbF
+KsXXwOUCgYEA5cXCD09Oeb888dwgvOaVgZqfJaCex2wZ2Wgu8dm3y2YcrNHbrj13
+PU+1fBp29AE4cNowUitL0rHPE232WyKPCsvEt4H/ioucWvXUc9rzNlo+2H4J6ZMI
+4GQp2WXQZeqEAAI35qdcRwIDMRJdsDlg9fAwKAGJAYLhL4fZewmPb8cCgYEAwkU3
+ynMCj1XMvZzhPNS9bACD1euSLTopdAzlASX9bVnDGJ5/KeWl2PqJjrmV3LCjX/4t
+WnGsP5bgv6IGVRpTcjeJSebF2kEA/pwYEZJezwh304JUqsqg4K4QF1ra5v3Wp06e
+Y+sMdUphzTQFAvGzWTSQweSVlXHgrW+VWxdIEWsCgYApwL7b01h6TSMA/DRCv0/p
+pjRHPSG9MUqdNA5bymlYn6yURuo5hlfVn1dmPtTg0Bv2fd+L/uwfVEpByJicxPHj
+T1Xm1sud3HLEIKnDh8TsWofTBUw90ocpZ2onZBXzfyMPcVfBJSZijN4Rm7nEnRie
+eE/35ReFW8gZwADoF7ul3wKBgELkXo+BBnKgUn0/lXbCse6MRtjT4mNcUYW6IuhA
+UoDilYDWomakwnRx4Aea83UoBTk6ZhdsaKkEpKKXgaKwC+eaI9Wkdp/uHg+NY+Q5
+CBg1jDzx9YFRgA+dH8FK8XD0GoNFWNiCyKliUUa9ELSw0NZ4eReqQ69PpNNTRpQ0
+8gW9AoGBAIUpz52BrP0XcIEE+f9ONKGJq+cr1cRXDZlgHBE90GA/b5hfMiAmvaGm
+SVdBXfUzIwEv6fHRqFjXsGqRI1qD6my69khnoObu3H+DR4Dsk/3iwxDMEpK63dfM
+p2fp/wc8G/s/5YVQeAOW0NpPY7qyGDoXN5UcHfLjJw23gbkUJD58
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
index b5afd3d2e..706a52635 100644
--- a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
@@ -145,7 +145,7 @@ keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
subjectAltName = DNS:$ENV::COMMON_NAME
-#extendedKeyUsage = OCSPSigner
+#extendedKeyUsage = OCSPSigning
crlDistributionPoints = URI:http://crl.strongswan.org/research.crl
####################################################################
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial
index 75016ea36..64969239d 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial
+++ b/testing/hosts/winnetou/etc/openssl/research/serial
@@ -1 +1 @@
-03
+04
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old
index 9e22bcb8e..75016ea36 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/research/serial.old
@@ -1 +1 @@
-02
+03
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt
index 5093b34e9..ab3c06416 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt
@@ -1,2 +1,3 @@
V 100322071017Z 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
V 100615195536Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+V 120323211811Z 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
index 7378ebb8a..5093b34e9 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
@@ -1 +1,2 @@
V 100322071017Z 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
+V 100615195536Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/03.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/03.pem
new file mode 100644
index 000000000..ce2ff7b9d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/03.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEVjCCAz6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA3MDMyNTIxMTgxMVoXDTEyMDMyMzIxMTgxMVowczEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xJTAjBgNVBAsT
+HFNhbGVzIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxIjAgBgNVBAMTGW9jc3Auc2Fs
+ZXMuc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDGgB20WTzEVUNGDU/iwxN/eybmYAQ2rUytxoyKUHoN8Q7tATg7bwH3HrMdc5JV
+AA4uiWFdrNw7GGu+QJVrYi+7jdt76ffcck6eQjLmmVsGp4T16U900ZzFh6zLnhs9
+K/Sw8yiGMQcYncblST4Sl3Yd6XdiY/fZHscsbFjxVpPGxwebZPPirukeWDFLUwVO
+yc5A7pdqNlvmfy5tiO5Ds8hQMQyVqpmlDYwTQz3yZS2+X4In8GrgvBnUZ/etGzq8
+N+309wX/g2WvcKYDpWLqu3KxkwL+QTTYhIM6NvQXtPGCf3M5yBtoNqPzgIqXveuT
+oMwJwF+uDZddBWjAeI1G+J8BAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwIDqDAdBgNVHQ4EFgQUY33heVHJfDUOz5Va8B1VPepgam4wbQYDVR0jBGYw
+ZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQ0wJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV
+HSUEDDAKBggrBgEFBQcDCTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAXvU0ucW8
+DUgNkNdzIYtL48d44e+vDRuVZ6BmuovHqZuuWXfmxtM0q8zPUgrtXwX50nhVg8Y3
+csLLa4o7WOmDTMftvzuh9+T9CV8WIX6vioI7zS550ZwUwB0V08JTfrCiRaCql7Eg
+pDEZDfKXJCaq+I/FAH1Q03vXsDk+wTtJSeqoWCt7IiEYePwFLQ0ANjPhK6BbbcyH
+XkqZE2hYmroGele+UGwflRL9CP6F8UTFdg2LefeiZmZiSkgO2a0i4ik0ShQAPyIl
+is5KBiKuvsqkbMTCxdk0gdRqcTF0YUHcOCY0gHMiApsNC157fokP0Mg6rBDRCJkH
+kiJdzc42Apd8uw==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi
new file mode 100755
index 000000000..c53cb9a76
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/openssl/sales
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+/usr/bin/openssl ocsp -index index.txt -CA salesCert.pem \
+ -rkey ocspKey.pem -rsigner ocspCert.pem \
+ -nmin 5 \
+ -reqin /dev/stdin -respout /dev/stdout
diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem
new file mode 100644
index 000000000..ce2ff7b9d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEVjCCAz6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA3MDMyNTIxMTgxMVoXDTEyMDMyMzIxMTgxMVowczEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xJTAjBgNVBAsT
+HFNhbGVzIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxIjAgBgNVBAMTGW9jc3Auc2Fs
+ZXMuc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDGgB20WTzEVUNGDU/iwxN/eybmYAQ2rUytxoyKUHoN8Q7tATg7bwH3HrMdc5JV
+AA4uiWFdrNw7GGu+QJVrYi+7jdt76ffcck6eQjLmmVsGp4T16U900ZzFh6zLnhs9
+K/Sw8yiGMQcYncblST4Sl3Yd6XdiY/fZHscsbFjxVpPGxwebZPPirukeWDFLUwVO
+yc5A7pdqNlvmfy5tiO5Ds8hQMQyVqpmlDYwTQz3yZS2+X4In8GrgvBnUZ/etGzq8
+N+309wX/g2WvcKYDpWLqu3KxkwL+QTTYhIM6NvQXtPGCf3M5yBtoNqPzgIqXveuT
+oMwJwF+uDZddBWjAeI1G+J8BAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwIDqDAdBgNVHQ4EFgQUY33heVHJfDUOz5Va8B1VPepgam4wbQYDVR0jBGYw
+ZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQ0wJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV
+HSUEDDAKBggrBgEFBQcDCTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAXvU0ucW8
+DUgNkNdzIYtL48d44e+vDRuVZ6BmuovHqZuuWXfmxtM0q8zPUgrtXwX50nhVg8Y3
+csLLa4o7WOmDTMftvzuh9+T9CV8WIX6vioI7zS550ZwUwB0V08JTfrCiRaCql7Eg
+pDEZDfKXJCaq+I/FAH1Q03vXsDk+wTtJSeqoWCt7IiEYePwFLQ0ANjPhK6BbbcyH
+XkqZE2hYmroGele+UGwflRL9CP6F8UTFdg2LefeiZmZiSkgO2a0i4ik0ShQAPyIl
+is5KBiKuvsqkbMTCxdk0gdRqcTF0YUHcOCY0gHMiApsNC157fokP0Mg6rBDRCJkH
+kiJdzc42Apd8uw==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem
new file mode 100644
index 000000000..5d10a3467
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAxoAdtFk8xFVDRg1P4sMTf3sm5mAENq1MrcaMilB6DfEO7QE4
+O28B9x6zHXOSVQAOLolhXazcOxhrvkCVa2Ivu43be+n33HJOnkIy5plbBqeE9elP
+dNGcxYesy54bPSv0sPMohjEHGJ3G5Uk+Epd2Hel3YmP32R7HLGxY8VaTxscHm2Tz
+4q7pHlgxS1MFTsnOQO6XajZb5n8ubYjuQ7PIUDEMlaqZpQ2ME0M98mUtvl+CJ/Bq
+4LwZ1Gf3rRs6vDft9PcF/4Nlr3CmA6Vi6rtysZMC/kE02ISDOjb0F7Txgn9zOcgb
+aDaj84CKl73rk6DMCcBfrg2XXQVowHiNRvifAQIDAQABAoIBAQCUOZL02zYfPbPw
+mXwvzo++wA16NfSvh5UcpojHt/SMeJc2r5R3/Rqwl8IUmfqJcnMkmP2V38DMeB3s
+gXmSKE2QdguRalLl0I2Ya8Jqo9VvEKSepMvqZaP1dKy5l6SrdylPASQfoHi2Dws4
+qAqsA2H2UCIP3Kp0/SCpsXZxML9EzIWtYtvrqJ0p0EI9ZzEn5uFok91qTYqD9c3T
+v142OyfmHlwICLy7UlFkmawrV4PIIP2RGTRgr2b16Vis7mAkRC7blsFXUEBb8hwE
+SmISdZYXc+NCesonXYGeRhln8PPLI3/T+HHH8G2eFhyQISHgE0CbjK+zvFcAddvD
+BbeceDPhAoGBAOkXwIklHvzSj4QoCi572QNkNIkxlIa6PL3I2ygJczeB1vj9kvVc
+CV2onhvBL3FGy0BJrQI7UBySW59/GdSs+WJFQWlIwI9QglDS8itAQK6+9zeyg69U
+NbGw784NGn5cP3F4P3QCGEUg5Oj8t0iE8gKbljz6rlSjO5uhXYOYf0rtAoGBANoC
+E0noRtG4QloEbIiHjLbnNAjabOO9KNm9FLZZFnGvTHQ1690i+GBOXC/cbP3jo6tz
+07+Ob/+IKhXhEj9opGu8ZvEfarHmBEWxj6TdvFmlaHEcEFD0LqGu5ssSfW3S3AEB
+Z3rBLkEeJYUYQqCU+vgZHEbrLWeBt33AIeB1nN3lAoGAL0LJnwUPy2NGBh24MsSZ
+s75ViJus6cRJHJHlHbEM02xYEhQX//exTnQp2qbI38bi3x4RHiq4i5KBUU2MBzsr
+NWmlYZuGr4g7Y/fhcjOM6eF+bqSbXqlMWcLuXHD7tjMuCeu/sd3a3elVgIf9AY8z
+IqQ5ShPp1O9j3qJRO6Vn6eECgYBIu9KFoOonxArXD4zKTDcFOsPghEc5//0mD/Be
+GgDj8vFWADtt7uHg96PIEAmI9y6+4Ajwauww29P2sr2szBO3IgdSQQIO0kfwnJnp
+DlVtr0LWId/LsnvwU3MKo2OXhXcDGt3UValB7nXkHsDz5GCK743Al2vxkZSPbs+e
+nH62hQKBgQC8AouEwXXXQD8+MnW+qcIbaAzVMirc94sI3fQH1AnfiZHH6aMCOh/4
+xoh/RzylotQlOk1xjCOB4O/Hhd+MAnlH9ZawCnRdvB/4usxd4j2AYr0Np7Q+VUyx
+EFejvkdm20j1dh29jfSbiXHd2RCoFimX0Dr3weiRqffqi9aV2tdqLQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
index adb204bc2..687956d60 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
@@ -145,7 +145,7 @@ keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
subjectAltName = DNS:$ENV::COMMON_NAME
-#extendedKeyUsage = OCSPSigner
+#extendedKeyUsage = OCSPSigning
crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl
####################################################################
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial
index 75016ea36..64969239d 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial
@@ -1 +1 @@
-03
+04
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old
index 9e22bcb8e..75016ea36 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old
@@ -1 +1 @@
-02
+03
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index b1bd38b62..8351c1939 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-13
+14
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index 48082f72f..b1bd38b62 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-12
+13
diff --git a/testing/hosts/winnetou/etc/openssl/start-ocsp b/testing/hosts/winnetou/etc/openssl/start-ocsp
deleted file mode 100755
index bdc5dab38..000000000
--- a/testing/hosts/winnetou/etc/openssl/start-ocsp
+++ /dev/null
@@ -1,20 +0,0 @@
-#! /bin/sh
-# start an OpenSSL-based OCSP server
-#
-# Copyright (C) 2004 Andreas Steffen
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: start-ocsp,v 1.3 2005/01/01 18:12:14 as Exp $
-
-cd /etc/openssl
-openssl ocsp -index index.txt -CA strongswanCert.pem -port 8880 -rkey ocspKey.pem -rsigner ocspCert.pem -nmin 5 < /dev/null > /dev/null 2>&1 &