On Wed, Jul 17, 2013, redpath wrote: > Got the OCSP Server to respond to the test OCSP request program nicely. > *Of course one more question.* > > I simply had to setup the infrastructure for the OSCP server excerpted > below. > to create the signing key and directories. > > mkdir demoCA > mkdir demoCA/newcerts > mkdir demoCA/private > chmod demoCA > touch index.txt > echo 1000 > serial > openssl req -new -nodes -out ocspsign.csr -keyout ocspsign.key -batch > -extensions v3_OCSP -config myconfig.cnf > openssl req -new -x509 -days 3650 -extensions v3_ca -keyout > ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -config myconfig.cnf > -batch -passout pass:password > openssl ca -in ocspsign.csr -out authocspsign.crt -batch -extensions > v3_OCSP -config myconfig.cnf -passin pass:password > > The index.txt file looks like this now > > cat index.txt > V 140717130131Z 1000 unknown /C=AU/ST=Some-State/O=Redpath > Corporation > > > I start the server as > > openssl ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt > -rkey ocspsign.key -CA ./demoCA/cacert.pem -text > > and execute the OCSP request with a PEM that was created with serial ID > 1000. > > The OCSP request and response are shown below > > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: D56D19422F523984CFB9477E7D39A8176AE3811C > Issuer Key Hash: CD0B919B45A50EA0BDCE66D7215BA27CE33E2326 > *Serial Number: 1000* > Request Extensions: > OCSP Nonce: > 0410206070FB6BD7959849367CEA406BBDBD > > > > OCSP Response Data: > OCSP Response Status: successful (0x0) > Response Type: Basic OCSP Response > Version: 1 (0x0) > Responder Id: C = AU, ST = Some-State, O = Redpath Corporation > Produced At: Jul 17 13:26:58 2013 GMT > Responses: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: D56D19422F523984CFB9477E7D39A8176AE3811C > Issuer Key Hash: CD0B919B45A50EA0BDCE66D7215BA27CE33E2326 > * Serial Number: 1000* > Cert Status: *unknown* > This Update: Jul 17 13:26:58 2013 GMT > > * > But the Cert Status says UNKNOWN? The cert is in demoCA/newcerts/1000.pem > The index.txt file looks okay to me.* > > V 140717130131Z 1000 unknown /C=AU/ST=Some-State/O=Redpath > Corporation > > *So what is the issue?* >
The most probably cause is that the certificate ID doesn't match the CA. What do you get from the command: openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1000 -text Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
