[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    RE: ocsp response validation problem
From:       "Fitzsimons, Nick" <Nick.Fitzsimons () sonyericsson ! com>
Date:       2006-08-31 6:43:46
Message-ID: 5F5FE1B2473B004E9CB8B679D1923FD802858F39 () gbmcmsx01 ! corpusers ! net
[Download RAW message or body]

Hi,
   From my work in this area, I found that the error at the end of the
ocsp command is only a problem
 with the running of the command - the contents of the file produced are
not impacted.

 However, the way to avoid the error is to concatenate (doing it in a
text editor is fine) all the certs
 in your chain - in PEM format - into a file (chain.pem or similar) and
supply this file as the parameter
 to your -Cafile options.

 Hope this helps.

 Nick 

-----Original Message-----
From: owner-openssl-users@openssl.org
[mailto:owner-openssl-users@openssl.org] On Behalf Of Simon McMahon
Sent: Thursday, August 31, 2006 4:49 AM
To: openssl-users@openssl.org
Subject: ocsp response validation problem

Hi,

0.9.8b

I'm doing some OCSP testing and I had a little confusion with OCSP
response validation.

If you leave out -CAfile on the request then the validation fails even
in the simple case where the CA is the same as the issuer.

The examples in the ocsp(1) doc should include a request that includes
the -CAfile argument to make it succeed e.g:

openssl ocsp -issuer demoCA/cacert.pem -CAfile demoCA/cacert.pem -url
http://localhost:8888 -serial 1

This will work when the server is run as shown in the samples section.
If -CAfile is left out then you get a validation error. If you use -CA
(a server argument) then it also fails and this is pretty confusing.

Note: A sample of how to make a OCSP responder cert with OCSPSigning in
the extended key usage would be nice too. When I work this bit out I can
send in a sample for that if that helps.

Simon McMahon

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org

[prev in list] [next in list] [prev in thread] [next in thread]