Hi,
Thanks a lot prakash for your reply. Actually my application works in this way
1) I will get the x.509 certificate from any server(lets say) yahoo.com, now from that i will extract
yahoo.com user certificate(may be issued by verisign or others), issuers root certificate.
2) Now i need to check the OCSP status of these individual certificates
3) Since verisign is an OCSP responder i just want to query
ocsp.verisign.com for these individual certificates.
but while i was trying with your command
openssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem
I am getting an error message like
"Error Querying OCSP responder
....
3256: .. Connect error..."
But when i am trying with same command and same certificates to ocsp.openvalidation.org i am getting status information.But only problem with openvalidation is that they dont have up-to-date information(for some cases).
Are there are any public ocsp responder where i can query them instead of ocsp.versign.com.
I would be grateful to you if you would give a reply.
Thanks in Advance
Thanks,
Varma
Hi,The -Vafile option is used for explicitly trusting the responder certificate of the ocsp server
So if you omit this option you will get the "unable to get local issuer certificate" error.
To get this command working
openssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem1. First you must get a certificate from Verisign -User.pem
2. Get the CA certificate that was used to sign your request - ROOT_CA.pem
3. Trust the Verisign OCSP responder certficate - OCSPServer.pem--Prakash
varma d <[EMAIL PROTECTED]> wrote:Hi,
Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others.
I need your help.
I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl,
I have couple of questions.
1) I used the following command to send OCSP request and get response from OCSP responder.
openSSL>ocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem
When i am executing this command , i am getting response from OCSP responder stating that certificate status is good.
(i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) )
But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.
If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i get
latest OCSPServer.pem file for the given URL.
2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this error
user.pem:WARNING: Status times invalid.
3220:error:2707307D:OCSP
routines:OCSP_check_validity:status
expired:.\crypto\ocsp\ocsp_cl.c:357:
unknown
This Update: Oct 24 06:00:11 2004 GMT
Next Update: Oct 25 06:00:11 2004 GMT
For this do i need to update my OCSPServer.pem file
Thank you for your time and consideration
I would be grateful to you if you would help me out as i am spending a lot of time on understanding this.
Please help me out.
Thanks,
vv__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
