Re: 4485:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:ocsp_vfy.c:148:

Tue, 23 Mar 2010 09:00:28 -0700 

On Tue, Mar 23, 2010, Konrads Smelkovs wrote:

> Hello,
> 
> I am running OpenSSL 0.9.8g 19 Oct 2007. I have a certificate for which I
> want to check OCSP response.
> Root chain is added to root list. OpenSSL says all of it is OK:
> Chain has three level architecture - Root which Signs OCSP & Policy, Policy
> which signs issuing CA which signs subscriber CA.
> 
> $ openssl verify ksmelkovs.pem # Cert to verify
> ksmelkovs.pem: OK
> 
> $ openssl verify tssp.pem   # OCSP responder cert
> tssp.pem: OK
> 
> $ openssl verify cacers/*vas*rca*pem
> cacers/vas latvijas pasts ssi(rca).pem: OK
> 
> 
> $ x509 <ksmelkovs.pem -text |grep ocsp
>                 OCSP - URI:http://ocsp.e-me.lv/responder.eme
> $ x509 <ksmelkovs.pem -text |grep Issue
>         Issuer: C=LV, O=VAS Latvijas Pasts - Vien.reg.Nr.40003052790,
> OU=Sertifikacijas pakalpojumi, CN=VAS Latvijas Pasts SI(CA2)
> 
> $ ocsp -issuer cacers/*ca2*pem -cert ksmelkovs.pem -url
> http://ocsp.e-me.lv/responder.eme
> *Response Verify Failure
> 5083:error:27069070:OCSP routines:OCSP_basic_verify:root ca not
> trusted:ocsp_vfy.c:148:
> *ksmelkovs.pem: good
>     This Update: Mar 23 11:29:33 2010 GMT
> konr...@konrads-laptop:~/Sertifikati$ openssl verify ksmelkovs.pem
> ksmelkovs.pem: OK
> 
> Copies of these certs are uploaded here: http://drop.io/lykqq21#
> 
> 
> The 64k USD question: If I have entire trust chain in trusted list, then why
> would it complain?

There are two automatic trust models for OCSP responder certificates. One is
the CA key that signed the certificate also signs responses: that isn't
recommended for security reasons. The other is that the CA signs a responder
certificate with an OCSP signing EKU extension and responses are signed by the
corresponsing private key.

Your setup doesn't seem to cover either case. You can explicitly trust the
responder certificate with the -VAfile option or add explicit OCSP signing
trust to the root.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to