[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-users
Subject: RE: ocsp response validation problem
From: "Fitzsimons, Nick" <Nick.Fitzsimons () sonyericsson ! com>
Date: 2006-08-31 6:43:46
Message-ID: 5F5FE1B2473B004E9CB8B679D1923FD802858F39 () gbmcmsx01 ! corpusers ! net
[Download RAW message or body]
Hi,
From my work in this area, I found that the error at the end of the
ocsp command is only a problem
with the running of the command - the contents of the file produced are
not impacted.
However, the way to avoid the error is to concatenate (doing it in a
text editor is fine) all the certs
in your chain - in PEM format - into a file (chain.pem or similar) and
supply this file as the parameter
to your -Cafile options.
Hope this helps.
Nick
-----Original Message-----
From: owner-openssl-users@openssl.org
[mailto:owner-openssl-users@openssl.org] On Behalf Of Simon McMahon
Sent: Thursday, August 31, 2006 4:49 AM
To: openssl-users@openssl.org
Subject: ocsp response validation problem
Hi,
0.9.8b
I'm doing some OCSP testing and I had a little confusion with OCSP
response validation.
If you leave out -CAfile on the request then the validation fails even
in the simple case where the CA is the same as the issuer.
The examples in the ocsp(1) doc should include a request that includes
the -CAfile argument to make it succeed e.g:
openssl ocsp -issuer demoCA/cacert.pem -CAfile demoCA/cacert.pem -url
http://localhost:8888 -serial 1
This will work when the server is run as shown in the samples section.
If -CAfile is left out then you get a validation error. If you use -CA
(a server argument) then it also fails and this is pretty confusing.
Note: A sample of how to make a OCSP responder cert with OCSPSigning in
the extended key usage would be nice too. When I work this bit out I can
send in a sample for that if that helps.
Simon McMahon
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic