On Tue, Apr 13, 2010, Chris Bare wrote: > This command works: > > openssl ocsp -issuer issuer.pem -VAfile trusted_dir/ocsp_signer.pem -url > http://ocsp.test.com -cert cert.pem -resp_text > > but this fails: > openssl ocsp -issuer issuer.pem -CApath trusted_dir -url http://ocsp.test.com > -cert cert.pem -resp_text > > with: > 3077556488:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate > not found:ocsp_vfy.c:85: > > since the signer cert is in the trusted dir, shouldn't the second version be > able to find it there? > > ocsp_signer.pem is a self-signed cert, does that matter? > > I ran strace on the second command and I never see it even open the > directory.
Additional candidate signer certificates need to be included in the -verify_other option. If the OCSP signing certificate is self signed then it needs to be explicitly trusted which is the -VAfile option if you use that it will also be searched as a signer. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
