Shivakumar Balur escribió:
Hi All,
Please provide any solution for
error:
Response Verify Failure
11114:error:27069065:OCSP routines:OCSP_basic_verify:certificate
verify error:ocsp_vfy.c:122:Verify error:*unable to get local issuer
certificate*
resolve.pem: unknown
This Update: Sep 8 16:38:27 2008 GMT
more description is provided in below mail
Advance Thanks & Regards,
Shivakumar
----- Original Message -----
*From:* Shivakumar Balur <mailto:[EMAIL PROTECTED]>
*To:* openssl-users@openssl.org <mailto:openssl-users@openssl.org>
*Sent:* Thursday, September 11, 2008 6:43 PM
*Subject:* Error: unable to get local issuer certificate!!!
Hi,
Mail is quite big with description. please read through and help me.
Below are the configuration and execution done for OCSP request and
response.
*what is the reason for error?
* what is the solution for error?
Any reply is appreciated.
:)
I have provided even folder structure because, error related to
"unable to get local issuer certificate".
*Folder structure: certifiacte/CACERT/demoCA*
*CLIENT: *
*executed at certificate/*
*Root key generated:* openssl genrsa -out *rootkey.pem* 1024
*root self-signed certificate: *openssl req -x509 -nodes -days 365
-newkey rsa:1024 -keyout* rootkey.pem* -out *rootcert.pem*
*request generated:* openssl req -nodes -days 365 -newkey rsa:1024
-keyout *reqkey.pem* -out *reqreq.pem*
*issuing:* openssl x509 -days 365 -CA *rootcert.pem* -CAkey*
rootkey.pem* -req -CAcreateserial -CAserial ca.srl -in *reqreq.pem*
-out *resolve.pem*
* Request sent:* openssl ocsp -issuer *rootcert.pem* -cert*
resolve.pem* -url http://xxx.xxx.xx.xxx:8888 -resp_text -respout
*resp.der*
error:
Response Verify Failure
11114:error:27069065:OCSP routines:OCSP_basic_verify:certificate
verify error:ocsp_vfy.c:122:Verify error:*unable to get local issuer
certificate*
resolve.pem: unknown
This Update: Sep 8 16:38:27 2008 GMT
----------------------------------------------------------------------
*RESPONDER:*
*Folder structure: certifiacte/CACERT/demoCA/private/firstkey.pem*
*certifiacte/CACERT/demoCA**/certs*
*certifiacte/CACERT/demoCA/index.txt*
*certifiacte/CACERT/demoCA/cacert.pem*
1. Created folder(*CACERT)*
2. copied CA.pl from(* /usr/lib/ssl/misc/CA.pl*) into *CACERT.*
3. copied openssl.cnf from *(/usr/lib/ssl/openssl.cnf* ) into *CACERT*.
*executed:* ./CA.pl -newca (creates *demoCA *folder which consist
index.txt file,cacert.pem file, private folder,certs folder,newcerts
folder and etc..)
*key generated at demoCA/private/:* openssl genrsa -out
*firstkey.pem* 1024
*request generated /demoCA/certs/: * openssl req -new -key
*demoCA/private/firstkey.pem* -out *req1.pem*
(renamed req1.pem as newreq.pem)
*now execute->* ./CA.pl -sign (newcert.pem is created)
*Responder:*
openssl ocsp -index *demoCA/index.txt* -port 8888 -rsigner
*newcert.pem* -rkey *demoCA/private/first.key* -CA *demoCA/cacert.pem*
-text -out log.txt
Advance Thanks & Regards,
Shivakumar Balur
<http://www.eset.com>
Try this:
openssl ocsp -issuer *rootcert.pem* -cert* resolve.pem* -url
http://xxx.xxx.xx.xxx:8888 -CAfile rootcert.pem -resp_text -respout
*resp.der
you haven't put CA certificate into request. That is an idea from a newbie
*
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
