Hi, Thanks for your reply and all the information provided. regarding the 3.
question, you are right, I want to have an OCSP responder based on CRL. For
information, the index file is written by parsing a CRL file but I don't want
to write into this file all the valid certificates as an enrolment be done and
my index file may not be synchronized. I have an other question, why the
engine option is not available with the ocsp options ? It's not possible to
have the key embeded in a HSM ? Regards,AdrienDate: Tue, 14 Aug 2012 19:35:12
+0200
From: erwann.aba...@keynectis.com
To: openssl-users@openssl.org
CC: apis...@hotmail.com
Subject: Re: [openssl-users] OpenSSL OCSP
Bonjour,
Answers inline.
--
Erwann ABALEA
Le 14/08/2012 19:03, adrien pisarz a écrit :
Hi,
I have several questions about the ocsp functionnality. I read
many articles before asking those questions and unfortunetaly I
still don't have the answers. Maybe you can help me.
Fist of all, here is my ocsp configuration :
openssl ocsp -index index_prod.txt -CAfile OpCA.pem -rsigner
ocsp.crt -rkey ocsp.key -port 3456 -text -out
/home/userocsp/ocsp_responder.log
The file index is populated by a self-made script,
the ocsp.crt (resp. key) is a certificate (resp. key) which
contains the ocsp signature extensions
the OpCA.pem contains the subAC certificate
Here are my questions :
1. Why the ocsp client work only if the -VAFile is set and
otherwise I got a signature error ? Is there a way to solve this
issue ?
Maybe because the responder is not one of:
- the CA that signed the certificate you're requesting the status
on
- a designated responder directly signed by the CA that signed the
certificate you're requesting the status on
Reread RFC2560. If you're instanciating the third possible responder
type (trusted responder whose public key is trusted by the
requester), then you obviously need to inform the client/requester.
You didn't provide elements on who signed who, so that's just a
guess.
2. If I wan manage several subAC should I open a
port foreach subCA ?
With the command-line tool, yes. If you need to have more CAs, then
you could probably try something more suited than the command-line
tools. The command-line tool also doesn't respond to GET requests,
only POST ones.
3. Why the ocsp responder requires that all the
certificates (even the valide's one) must be present in the
index.txt in order to provide a correct answer ? I was expected
that openssl will check the certificate signature and if the
serial is not present in the index.txt, it will answer good and
not unknow.
Design choice. You're giving the responder a database, so it
supposed to know *all* the certificates.
OCSP can be based on CRLs (black-list), but that's not implemented
by the tool. If that's what you want, you'll have to write your own.
4. As said, the openssl responder is working but a
IHS server is not abble to validate his answer and I got those
errors :
[...]
Does anyone know how to configure an IHS with an
openssl ocsp responder ?
You may ask your provider for this, not OpenSSL.
