RE: OCSP_basic_verify:certificate verify error ( Verify error:unable to get local issuer certificate)

Mon, 19 Jul 2010 03:24:55 -0700 

Hi again,



When i see the client certificate details using IE browser I see this on
 the Authority Information Access Field



[1]Authority Info Access

     Access Method=On-line Certificate Status Protocol 
(1.3.6.1.5.5.7.48.1)

     Alternative Name:

          URL=http://ocsp.auc.cartaodecidadao.pt/publico/ocsp



So, I think the AIA field exists and its filled with data



So my question remains.... why Apache is not reading this info......
Luis


> From: [email protected]
> To: [email protected]
> Subject: Re: OCSP_basic_verify:certificate verify error (  Verify     
> error:unable to get local issuer certificate)
> Date: Fri, 16 Jul 2010 14:27:05 -0400
> 
> Hi Luis:
> 
> See reply inline:
> 
> On July 16, 2010 11:05:46 am Luis Neves wrote:
> <snip>
> > 
> > besides this, why I have to force httpd.conf with a SSLOCSPDefaultResponder
> > directive? Shouldnt the mod_ssl code discover automatically the responder
> > address from the client certificate itself??
> > 
> 
> From your other mail:
> openssl x509 -in /home/oracle/lneves.pem -noout -text
> <snip a bunch of certificate contents stuff>
> >            2.5.29.46: 
> >               0h0f.d.b.`http://pki.cartaodecidadao.pt/publico/lrc/cc_sub-
> >ec_cidadao_autenticacao_crl0003_delta_p0005.crl
> >            Authority Information Access: 
> >                OCSP - URI:http://ocsp.auc.cartaodecidadao.pt/publico/ocsp
> 
> The part that catches my eye is the incorrect decoding for 
> authorityInfoAccess. First of all, 2.5.29.46 is NOT AIA, but according to:
> 
> http://www.alvestrand.no/objectid/2.5.29.46.html
> 
> It is "Freshest CRL". This is NOT the OID for AIA, thus the application 
> should 
> NOT be able to find the OCSP information. Fix the CA that generated this 
> certificate to generate correct PKIX RFC5280 certificates, and at least part 
> of your problem should go away.
> 
> Have fun.
> 
> -- 
> Patrick Patterson
> President and Chief PKI Architect,
> Carillon Information Security Inc.
> http://www.carillon.ca
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [email protected]
> Automated List Manager                           [email protected]
                                          
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969

Reply via email to