getting both "OCSP Response Status: successful" and an "Response Verify Failure" error ?

Wed, 24 Mar 2010 01:55:44 -0700 

testing an ocsp query to a local openssl ocsp 'server',

openssl ocsp \
 -issuer /svr/demoCA/certs/CA/CA.cert.pem \
 -cert /svr/demoCA/certs/domains/testdomain.cert.pem \
 -url http://localhost:8888 \
 -resp_text

i get what seems to be a "successful" response of "good" CertStatus,

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: DC = Auth, DC = testdomain, DC = loc, CN = OCSP
Responder, O = MyCO, OU = http://testdomain.loc/Auth, L = myCity, ST =
NY, C = US
    Produced At: Mar 24 00:53:07 2010 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 573...DAF
      Issuer Key Hash: E70...B7E
      Serial Number: 126...498
    Cert Status: good
    This Update: Mar 24 00:53:07 2010 GMT

    Response Extensions:
        OCSP Nonce:
            041...37A
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: DC=Auth, DC=tesdomain, DC=loc, CN=MyCO CA, O=MyCO,
OU=http:\/\/testdomain.loc\/Auth, L=myCity, ST=CA, C=US
        Validity
            Not Before: Mar 24 00:11:10 2010 GMT
            Not After : Mar 21 00:11:10 2020 GMT
        Subject: DC=Auth, DC=tesdomain, DC=loc, CN=OCSP Responder,
O=MyCO, OU=http://testdomain.loc/Auth, L=myCity, ST=CA, C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:c4:d3:65:59:1d:04:be:d7:bb:5d:46:b2:d2:88:
...
                    88:bf:3f:11:68:db:08:f8:ba:ae:02:1f:07:14:78:
                    27:33:e9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type:
                SSL Client, SSL Server, S/MIME, Object Signing
            Netscape Comment:
                OpenSSL OCSP Responder Certificate
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                OCSP Signing
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Alternative Name: critical
                DNS:ocsp.testdomain.loc
    Signature Algorithm: sha512WithRSAEncryption
        82:83:5f:86:1d:23:b4:e1:23:cb:04:e6:8e:f6:a1:e6:4a:3f:
...
        3f:b2:23:8b:d9:b1:39:53
-----BEGIN CERTIFICATE-----
MIIG6zCCBNOgAwIBAgIBATANBgkqhkiG9w0BAQ0FADCB9TEYMBYGCgmSJomT8ixk
...
+6HEmqK1GCxcDsDUV+nlZ7Rcq4tZgk5b0fK4YiK25YRxtGM/f2hCP7Iji9mxOVM=
-----END CERTIFICATE-----
Response Verify Failure
32044:error:27069065:OCSP routines:OCSP_basic_verify:certificate
verify error:ocsp_vfy.c:122:Verify error:unable to get local issuer
certificate
/svr/demoCA/certs/domains/testdomain.cert.pem: good
        This Update: Mar 24 00:53:07 2010 GMT


But still get this complaint about "local issuer certificate", which,
iiuc, has to be available to get the query result back in the 1st
place.

Or does this error mean something else -- if so, what might that be?

Thanks.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to