Maybe your URL is wrong. I just tried this: openssl ocsp -issuer VeriSignClientECA.pem -url http://ocsp.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text
and it works fine as follows: D:\prjs\ocsp\newEcaCA>openssl ocsp -issuer VeriSignClientECA.pem -url http://ocs p.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = U.S. Government, OU = ECA, OU = "VeriSign, Inc.", CN = VeriSign Client ECA OCSP Responder Produced At: Aug 23 17:10:46 2005 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE Cert Status: good This Update: Aug 23 17:10:46 2005 GMT Next Update: Aug 30 17:10:46 2005 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 0f:74:76:24:82:2a:30:ad:35:fc:45:8b:13:36:4b:0b Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=U.S. Government, OU=ECA, OU=Certification Authorities, C N=VeriSign Client External Certification Authority Validity Not Before: Aug 16 00:00:00 2005 GMT Not After : Sep 15 23:59:59 2005 GMT Subject: C=US, O=U.S. Government, OU=ECA, OU=VeriSign, Inc., CN=VeriSign Client ECA OCSP Responder Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:b3:b0:95:33:73:1f:2a:f5:a7:63:6b:2f:5d: 04:66:13:df:35:b9:60:9a:92:a8:16:53:99:bd:70: a5:9c:34:3f:f4:91:05:a1:15:28:51:38:1c:d3:d5: cc:d5:82:fb:43:74:7f:84:6e:41:77:39:a6:be:46: d5:fb:ef:91:10:6b:ab:b9:20:0d:dd:0a:bd:5a:f9: e4:2b:e2:43:4f:c9:30:00:89:c7:cf:80:a9:76:93: 03:08:03:12:70:a5:76:86:c1:1d:3d:60:12:f5:2f: de:9c:9d:a3:2b:ad:22:51:1f:b9:5c:7a:fd:8d:a6: c4:b3:1a:50:69:8c:dc:26:93 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:https://eca.verisign.com/CA/VeriSignECA.cer X509v3 Certificate Policies: Policy: 2.16.840.1.101.3.2.1.12.2 CPS: https://www.verisign.com/repository/eca/cps X509v3 Extended Key Usage: critical OCSP Signing X509v3 Key Usage: critical Digital Signature, Non Repudiation OCSP No Check: X509v3 Subject Alternative Name: DirName:/CN=OCSP2-TGV-1-141 X509v3 Subject Key Identifier: 30:EF:0D:8E:CD:58:05:E9:73:96:06:4E:63:48:F9:24:59:82:41:D4 X509v3 Authority Key Identifier: keyid:0D:C0:D8:3D:BF:FB:65:93:C8:37:66:26:E2:8A:12:5F:BB:C2:80:F 5 Signature Algorithm: sha1WithRSAEncryption 6b:8d:79:7a:b3:d5:1d:e7:0e:ac:18:e7:f0:b4:fc:b4:cf:03: cf:f2:de:e0:93:b9:60:99:ab:b3:52:96:85:dc:34:20:f0:78: d8:24:c8:b3:71:25:f2:90:8d:7f:dc:00:7e:25:92:fd:e0:26: fa:3d:99:a1:89:86:a0:09:fe:0a:20:34:0a:68:31:cd:60:9d: 63:a1:d9:2f:36:7c:4d:74:cc:ca:91:65:cb:a5:1f:5f:3a:e4: e4:73:67:9b:8e:50:ec:33:28:37:4c:05:33:a8:84:3e:63:7c: 3d:c5:cd:90:c3:72:99:99:7e:e8:e9:67:42:3c:1b:e6:6f:a5: 6d:37 -----BEGIN CERTIFICATE----- MIID2jCCA0OgAwIBAgIQD3R2JIIqMK01/EWLEzZLCzANBgkqhkiG9w0BAQUFADCB lDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE CxMDRUNBMSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMTkwNwYD VQQDEzBWZXJpU2lnbiBDbGllbnQgRXh0ZXJuYWwgQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkwHhcNMDUwODE2MDAwMDAwWhcNMDUwOTE1MjM1OTU5WjB7MQswCQYDVQQG EwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNFQ0ExFzAV BgNVBAsTDlZlcmlTaWduLCBJbmMuMSswKQYDVQQDEyJWZXJpU2lnbiBDbGllbnQg RUNBIE9DU1AgUmVzcG9uZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO s7CVM3MfKvWnY2svXQRmE981uWCakqgWU5m9cKWcND/0kQWhFShROBzT1czVgvtD dH+EbkF3Oaa+RtX775EQa6u5IA3dCr1a+eQr4kNPyTAAicfPgKl2kwMIAxJwpXaG wR09YBL1L96cnaMrrSJRH7lcev2NpsSzGlBpjNwmkwIDAQABo4IBQzCCAT8wRwYI KwYBBQUHAQEEOzA5MDcGCCsGAQUFBzAChitodHRwczovL2VjYS52ZXJpc2lnbi5j b20vQ0EvVmVyaVNpZ25FQ0EuY2VyMFIGA1UdIARLMEkwRwYKYIZIAWUDAgEMAjA5 MDcGCCsGAQUFBwIBFitodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y eS9lY2EvY3BzMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMJMA4GA1UdDwEB/wQEAwIG wDAPBgkrBgEFBQcwAQUEAgUAMCcGA1UdEQQgMB6kHDAaMRgwFgYDVQQDEw9PQ1NQ Mi1UR1YtMS0xNDEwHQYDVR0OBBYEFDDvDY7NWAXpc5YGTmNI+SRZgkHUMB8GA1Ud IwQYMBaAFA3A2D2/+2WTyDdmJuKKEl+7woD1MA0GCSqGSIb3DQEBBQUAA4GBAGuN eXqz1R3nDqwY5/C0/LTPA8/y3uCTuWCZq7NSloXcNCDweNgkyLNxJfKQjX/cAH4l kv3gJvo9maGJhqAJ/gogNApoMc1gnWOh2S82fE10zMqRZculH1865ORzZ5uOUOwz KDdMBTOohD5jfD3FzZDDcpmZfujpZ0I8G+ZvpW03 -----END CERTIFICATE----- Response verify OK eca_usr_cert.pem: good This Update: Aug 23 17:10:46 2005 GMT Next Update: Aug 30 17:10:46 2005 GMT --- varma d <[EMAIL PROTECTED]> wrote: > Hi, > Thanks a lot prakash for your reply. Actually my > application works in this > way > 1) I will get the x.509 certificate from any > server(lets say) > yahoo.com<http://yahoo.com>, > now from that i will extract yahoo.com > <http://yahoo.com> user > certificate(may be issued by verisign or others), > issuers root certificate. > 2) Now i need to check the OCSP status of these > individual certificates > 3) Since verisign is an OCSP responder i just want > to query > ocsp.verisign.com <http://ocsp.verisign.com> for > these individual > certificates. > > but while i was trying with your command > > openssl ocsp -url http://ocsp.verisign.com:8080 > -issuer ROOT_CA.pem -VAfile > OCSPServer.pem -cert User.pem > > I am getting an error message like > > "Error Querying OCSP responder > .... > 3256: .. Connect error..." > > But when i am trying with same command and same > certificates to > ocsp.openvalidation.org > <http://ocsp.openvalidation.org> i am getting status > > information.But only problem with openvalidation is > that they dont have > up-to-date information(for some cases). > > Are there are any public ocsp responder where i can > query them instead of > ocsp.versign.com <http://ocsp.versign.com>. > > I would be grateful to you if you would give a > reply. > > Thanks in Advance > > Thanks, > Varma > > > On 8/24/05, prakash babu <[EMAIL PROTECTED]> > wrote: > > > > Hi, > > The -Vafile option is used for explicitly > trusting the responder > > certificate of the ocsp server > > So if you omit this option you will get the > "unable to get local issuer > > certificate" error. > > > > To get this command working > > openssl ocsp -url http://ocsp.verisign.com:8080 > -issuer ROOT_CA.pem > > -VAfile OCSPServer.pem -cert User.pem > > 1. First you must get a certificate from Verisign > -User.pem > > 2. Get the CA certificate that was used to sign > your request - ROOT_CA.pem > > 3. Trust the Verisign OCSP responder certficate - > OCSPServer.pem > > --Prakash > > > > *varma d <[EMAIL PROTECTED]>* wrote: > > > > Hi, > > Today i was very much excited to see this mailing > list on openSSL. I > > searched several messages and its great to see > that people here are helping > > others. > > I need your help. > > > > I read tutorials on OCSP from > http://openvalidation.org about using OCSP > > in openssl, > > I have couple of questions. > > 1) I used the following command to send OCSP > request and get response from > > OCSP responder. > > > > openSSL>ocsp -url http://ocsp.openvalidation.org > -issuer ROOT_CA.pem > > -VAfile OCSPServer.pem -cert User.pem > > > > When i am executing this command , i am getting > response from OCSP > > responder stating that certificate status is good. > > > (i have taken this command/files from > openvalidation.org<http://openvalidation.org/>(http://www.openvalidation.org/useserviceopenssl.htm) > > > ) > > > > But, In this command what is the purpose of > OCSPServer.pem, i still dont > > understand the purpose of OCSPServer.pem as we > need to just send our > > request and expect a response from OCSP responder > irrespective of > > OCSPServer.pem file. > > > > If i give my URL as http://ocsp.verisign.com, how > can i get verisign's > > OCSPServer.pem. Also how can i get > > latest OCSPServer.pem file for the given URL. > > > > 2)I tested by giving latest user certificates > other than > > openvalidation.org <http://openvalidation.org/> > certificates, but i am > > getting this error > > > > user.pem:WARNING: Status times invalid. > > 3220:error:2707307D:OCSP > > routines:OCSP_check_validity:status > > expired:.\crypto\ocsp\ocsp_cl.c:357: > > unknown > > This Update: Oct 24 06:00:11 2004 GMT > > Next Update: Oct 25 06:00:11 2004 GMT > > > > For this do i need to update my OCSPServer.pem > file > > > > > > Thank you for your time and consideration > > > > I would be grateful to you if you would help me > out as i am spending a lot > > of time on understanding this. > > > > Please help me out. > > > > Thanks, > > vv > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]