testing an ocsp query to a local openssl ocsp 'server', openssl ocsp \ -issuer /svr/demoCA/certs/CA/CA.cert.pem \ -cert /svr/demoCA/certs/domains/testdomain.cert.pem \ -url http://localhost:8888 \ -resp_text
i get what seems to be a "successful" response of "good" CertStatus, OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: DC = Auth, DC = testdomain, DC = loc, CN = OCSP Responder, O = MyCO, OU = http://testdomain.loc/Auth, L = myCity, ST = NY, C = US Produced At: Mar 24 00:53:07 2010 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 573...DAF Issuer Key Hash: E70...B7E Serial Number: 126...498 Cert Status: good This Update: Mar 24 00:53:07 2010 GMT Response Extensions: OCSP Nonce: 041...37A Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha512WithRSAEncryption Issuer: DC=Auth, DC=tesdomain, DC=loc, CN=MyCO CA, O=MyCO, OU=http:\/\/testdomain.loc\/Auth, L=myCity, ST=CA, C=US Validity Not Before: Mar 24 00:11:10 2010 GMT Not After : Mar 21 00:11:10 2020 GMT Subject: DC=Auth, DC=tesdomain, DC=loc, CN=OCSP Responder, O=MyCO, OU=http://testdomain.loc/Auth, L=myCity, ST=CA, C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): 00:c4:d3:65:59:1d:04:be:d7:bb:5d:46:b2:d2:88: ... 88:bf:3f:11:68:db:08:f8:ba:ae:02:1f:07:14:78: 27:33:e9 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, SSL Server, S/MIME, Object Signing Netscape Comment: OpenSSL OCSP Responder Certificate X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: OCSP Signing X509v3 Basic Constraints: CA:FALSE X509v3 Subject Alternative Name: critical DNS:ocsp.testdomain.loc Signature Algorithm: sha512WithRSAEncryption 82:83:5f:86:1d:23:b4:e1:23:cb:04:e6:8e:f6:a1:e6:4a:3f: ... 3f:b2:23:8b:d9:b1:39:53 -----BEGIN CERTIFICATE----- MIIG6zCCBNOgAwIBAgIBATANBgkqhkiG9w0BAQ0FADCB9TEYMBYGCgmSJomT8ixk ... +6HEmqK1GCxcDsDUV+nlZ7Rcq4tZgk5b0fK4YiK25YRxtGM/f2hCP7Iji9mxOVM= -----END CERTIFICATE----- Response Verify Failure 32044:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate /svr/demoCA/certs/domains/testdomain.cert.pem: good This Update: Mar 24 00:53:07 2010 GMT But still get this complaint about "local issuer certificate", which, iiuc, has to be available to get the query result back in the 1st place. Or does this error mean something else -- if so, what might that be? Thanks. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org