Hi Ted,
Thanks for your reply. I see you are busy replying to several
different
request helps. :-)
I am glad to hear that the reason I can't find the documentation is
there isn't any.
Your reply helps significantly. I hope you can bear with me for a
follow up question.
I use the following to generate an ocsp request for a cert :
ocsp -issuer <cacert.pem> -cert <cert.pem> -reqout <req.der>
I am then seeking to use the following to generate on OCSP response to
the request I have
just generated :
ocsp -index <index file> -rsigner <respondercert.pem> -rkey
<responderkey.pem> -CA <CACert.pem>
-reqin <req.der> -respout <resp.der> -Cafile <certchain.pem>
My understanding is that the contents of <index file> are use to check
the status of the cert which
is detailed in <req.der>. However no matter how I try to configure
<index file> I always get a
status "Cert Status: unknown"
Given that the certificate whose status I am trying to ascertain has a
Subject of :
Subject: CN=Rick, O=Rick <RI>, L=Hamburg>, C=DE
what would I put in the <index file> to enable the ocsp command to find
this certificate and return
a status which I could set up in this <index file> ?
As a first pass I have tried the following
V 090705233205Z 041009233205Z 01 certs/00000001 /CN=Rick
V 090705233205Z 041009233205Z 02 unknown /CN=Rick/O=Rick
<RI>/L=Hamburg/C=DE
in the hope that ocsp would see the V for othe cert identified and
return a status of valid.
Thanks in advance if you can find the tiem to help.
Nick
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich
Sent: Tuesday, August 01, 2006 11:01 AM
To: [email protected]
Subject: Re: ca format of index.txt. file
Fitzsimons, Nick wrote:
> Hello All,
> Does anyone know where there is a definition of the
> format of the contents of the index.txt file used with the ocsp and ca
> commands ? (This file contains info on the revocation status of
> certificates).
>
> Thanks,
>
> Nick
First of all the format of index.txt is undocumented. Probably because
it might change sometime. Or it was a fast hack to get the demo
application running. Or something like that.
Having said this, it currently (openssl 0.9.8b) is a text database where
a tab separates the columns and newline separates the rows.
The columns are defined as
#define DB_type 0 /* Status of the certificate */
#define DB_exp_date 1 /* Expiry date */
#define DB_rev_date 2 /* Revocation date */
#define DB_serial 3 /* Serial No., index - unique */
#define DB_file 4
#define DB_name 5 /* DN, index - unique when active and
not disabled */
DB_type is defined as
#define DB_TYPE_REV 'R' /* Revoked */
#define DB_TYPE_EXP 'E' /* Expired */
#define DB_TYPE_VAL 'V' /* Valid */
'E' is currently not used by "openssl ca", I guess because it is
redundant to DB_exp_date. So expired certificates still have status 'V'
DB_file currently is always 'unknown' and not used by "openssl ca". I
guess the original idea was to store the filename of the generated
certificate file here.
The dates are in ASN1_UTCTIME-format.
Hope it helps.
Ted
;)
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
