this is the first time I post something, so sorry if any mistake is done.
I've been playing with the ocsp implementation of openssl and I got some errors, I've been looking for stuff about the matter but there's no so much info about openssl ocsp, I suppose because of it's a new feature included not so long. I know the implementation is not full and it's not mature at all, I also read http://www.openssl.org/docs/apps/ocsp.html from corner to corner. Well, I won't talk anymore, this is my problem:
I ran the ocsp responder:
$ openssl ocsp -index private/index.txt -port 8890 -CA private/cacert.crt -rkey key/2.key -rsigner certs/2.crt -text -out log.txt
- cacert.crt file is a simple self-signed certificate using the default openssl.cnf config.
- 2.key and 2.crt files are the private key and the certificate for the responder
the netscape certType of the responder certificate is Object signing, as you can see:
$ openssl x509 -inform PEM -in certs/2.crt -text -noout
Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption ... blah
Netscape Cert Type: Object Signing
... blah
the 2.key file is a simple 1024 bit RSA key.
time to make a resquest to the ocsp responder, well, I'll ask for the status of the certificate 0x1:
$ openssl ocsp -issuer private/cacert.crt -serial 0x1 -text -CAfile private/cacert.crt -url http://localhost:8890/
.... blah
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = ES, ST = Andalusia, L = Seville, O = rammataz, OU = computers, CN = responder OCSP prueba, emailAddress = prueba
... blah Cert Status: revoked <--- (cert 0x1 is revoked, it's ok, this is true)
(it seems the reply is ok, but I got these errors)
-----END CERTIFICATE-----
Response Verify Failure
1214:error:2706A067:OCSP routines:OCSP_CHECK_DELEGATED:missing ocspsigning usage:ocsp_vfy.c:348:
1214:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:ocsp_vfy.c:148:
0x1: revoked
what's wrong? is anything missing?
and something else, when I ask for the status of a non-revoked cert I got this:
CertStatus: unknown
I had a look at the index.txt and it seems there's only info about revoked certs so, is that why the reponder said "unknown" when I ask for a-still-valid cert?
Thank you very much,
Pablo
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]