Hi All,
I just started working on OCSP...
And I am trying to set up an OCSP responder using the OpenSSL CLI commands.
Right now, my index.txt file is blank and zero-size (created using the
"touch" command).
I want to know how to fill in revocation information into the index.txt
file, and in what format? (so that I can get a "BAD" OCSP response for
revoked certs).
Also, the zero-size index.txt file results in an "UNKNOWN" OCSP response all
the time.
What do I need to do so that my OCSP Responder returns a "GOOD" response for
those certs NOT in the revoked list??
My CRL is generated in *.pem X.509 format...How can I convert that into
revocation info stored inside index.txt file??
I request you to kindly clarify.
Regards,
Nagendra U M
varma d wrote:
>
> Hi,
> Today i was very much excited to see this mailing list on openSSL. I
> searched several messages and its great to see that people here are
> helping
> others.
> I need your help.
>
> I read tutorials on OCSP from http://openvalidation.org about using OCSP
> in
> openssl,
> I have couple of questions.
> 1) I used the following command to send OCSP request and get response from
> OCSP responder.
>
> openSSL>ocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem
> -VAfile
> OCSPServer.pem -cert User.pem
>
> When i am executing this command , i am getting response from OCSP
> responder
> stating that certificate status is good.
> (i have taken this command/files from
> openvalidation.org<http://openvalidation.org>(
> http://www.openvalidation.org/useserviceopenssl.htm))
>
> But, In this command what is the purpose of OCSPServer.pem, i still dont
> understand the purpose of OCSPServer.pem as we need to just send our
> request
> and expect a response from OCSP responder irrespective of
> OCSPServer.pemfile.
>
> If i give my URL as http://ocsp.verisign.com, how can i get verisign's
> OCSPServer.pem. Also how can i get
> latest OCSPServer.pem file for the given URL.
>
> 2)I tested by giving latest user certificates other than
> openvalidation.org<http://openvalidation.org>certificates, but i am
> getting this error
>
> user.pem:WARNING: Status times invalid.
> 3220:error:2707307D:OCSP
> routines:OCSP_check_validity:status
> expired:.\crypto\ocsp\ocsp_cl.c:357:
> unknown
> This Update: Oct 24 06:00:11 2004 GMT
> Next Update: Oct 25 06:00:11 2004 GMT
>
> For this do i need to update my OCSPServer.pem file
>
>
> Thank you for your time and consideration
>
> I would be grateful to you if you would help me out as i am spending a lot
> of time on understanding this.
>
> Please help me out.
>
> Thanks,
> vv
>
>
--
View this message in context:
http://old.nabble.com/please-help-me-on-OCSP-tp643677p27790411.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
