So, thanks for your help anyway.
Michiels Olivier
Perry The Cynic wrote:
On Mon, Oct 21, 2002 at 07:41:42AM +0200, Michiels Olivier wrote:Hi, my certificate is verified without OCSP and all my roots are there. Do I have to install the certificate that sign the OCSP response ?Well, verifying the OCSP response means verifying the cert chain of its signer. That can be either the CA for the cert you're inquiring about, in which case Mozilla should already have it (how else did it verify the cert?). If the OCSP response is signed by a designated responder key, you may have to explicitly stuff that cert into Mozilla. I don't think the response contains that cert in the default case.If you set Mozilla into "verify everything with that server over there" mode, you are fully responsible for establishing the cert hierarchy for that key, of course. Cheers -- perryThanks, Michiels Olivier Perry The Cynic wrote:Make sure the browser has the necessary root and intermediate certificates to verify the OCSP response. The local OCSP test has access to your cert database, but Mozilla doesn't unless you explicitly provided them (by sticking them into a PKCS7 when you imported the root cert, or imported them explicitly). Cheers -- perry --On Friday, October 18, 2002 9:45 AM +0200 Michiels Olivier <[EMAIL PROTECTED]> wrote:Hi, I've just implemented an OCSP responder and I want to test it with netscape or mozilla. Both browsers returns that the certificate cannot be verified for an unknown reason but when I use the ocsp client of openssl it works. Any idea ? Michiels Olivier ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]--------------------------------------------------------------------------- Perry The Cynic [EMAIL PROTECTED] To a blind optimist, an optimistic realist must seem like an Accursed Cynic. --------------------------------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]--------------------------------------------------------------------------- Perry The Cynic [EMAIL PROTECTED] To a blind optimist, an optimistic realist must seem like an Accursed Cynic. --------------------------------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
