*To recap I cleaned all the directories to assure nothing is wrong in them.* *I still get a unknown response.* These commands were run from a directory and produced the following output to setup the OpenSSL OCSP Server
*rm -R demoCA mkdir demoCA mkdir demoCA/newcerts mkdir demoCA/private cd demoCA touch index.txt echo 1000 > serial cd ..* *openssl req -new -nodes -out ocspsign.csr -keyout ocspsign.key -batch -extensions v3_OCSP -config myconfig.cnf* Generating a 1024 bit RSA private key ....................................++++++ ........++++++ writing new private key to 'ocspsign.key' *openssl req -new -x509 -days 3650 -extensions v3_ca -keyout ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -config myconfig.cnf -batch -passout pass:password *Generating a 1024 bit RSA private key ...............++++++ .......................++++++ writing new private key to './demoCA/private/cakey.pem' * openssl ca -in ocspsign.csr -out authocspsign.crt -batch -extensions v3_OCSP -config myconfig.cnf -passin pass:password *Using configuration from myconfig.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'AU' stateOrProvinceName :PRINTABLE:'Some-State' organizationName :PRINTABLE:'Redpath Corporation' Certificate is to be certified until Jul 17 13:01:31 2014 GMT (365 days) Write out database with 1 new entries Data Base Updated *cat demoCA/index.txt *V 140718112921Z 1000 unknown /C=AU/ST=Some-State/O=Redpath Corporation *ls demoCA/newcerts *1000.pem *cp demoCA/newcerts/1000.pem . * *openssl ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt -rkey ocspsign.key -CA ./demoCA/cacert.pem -text * Waiting for OCSP client connections... *I noticed there is no option to provide a config file to start the server?I use a config file for all my openssl commands* Then run the OCSP request program from same directory the OCSP server is running since I have 1000.pem copied there. *./OCSPrequest * TEST started using url http://127.0.0.1:8082 Using signing cert 1000.pem call verify now success spc_create_x509store Verify result is -12 *The output of the server is* OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: *D56D19422F523984CFB9477E7D39A8176AE3811C* Issuer Key Hash: D3ADBBBB03E8FDA8102D0BB95DC221A37FE58595 Serial Number: *1000* Request Extensions: OCSP Nonce: 0410399CE9BDA5DD039B381C75092B7E3137 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = AU, ST = Some-State, O = Redpath Corporation Produced At: Jul 18 11:30:30 2013 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: *D56D19422F523984CFB9477E7D39A8176AE3811C* Issuer Key Hash: D3ADBBBB03E8FDA8102D0BB95DC221A37FE58595 Serial Number: *1000* Cert Status: *unknown* This Update: Jul 18 11:30:30 2013 GMT Response Extensions: OCSP Nonce: 0410399CE9BDA5DD039B381C75092B7E3137 Signature Algorithm: sha1WithRSAEncryption 81:1a:46:32:d2:31:c6:c7:ec:02:b8:02:a7:84:4b:6d:8b:0c: 18:1a:c9:b3:aa:22:7f:43:6d:96:a7:09:0c:97:45:e2:5e:f1: 23:86:10:24:5b:b4:48:7e:57:5b:87:9f:b7:88:72:f9:35:4b: 83:f8:57:40:56:04:f0:40:eb:1b:ae:c7:c2:d7:16:d9:f8:ee: d7:9b:79:70:7c:29:e2:f1:6e:13:9b:df:10:09:f9:99:85:6f: cb:b3:89:58:99:89:b3:77:07:f3:52:51:63:d2:fc:60:d4:f0: 3b:d4:ba:21:11:f3:c3:41:16:c7:a0:33:b1:b4:f6:30:c9:3a: 1d:77 Certificate: Data: Version: 3 (0x2) Serial Number: 4096 (0x1000) Signature Algorithm: md5WithRSAEncryption Issuer: C=AU, ST=Some-State, O=Redpath Corporation Validity Not Before: Jul 18 11:29:21 2013 GMT Not After : Jul 18 11:29:21 2014 GMT Subject: C=AU, ST=Some-State, O=Redpath Corporation Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:b4:02:c6:2c:c9:82:b0:c0:1c:6e:d2:b8:1d:18: 7a:6d:41:5d:5b:94:5b:aa:50:ad:49:c1:49:64:d4: 6b:8e:db:34:74:88:e0:e6:78:65:3c:2f:62:d1:c0: 7b:a1:19:c6:2e:79:99:99:32:77:09:71:fd:d8:e9: 44:12:09:36:88:44:22:e3:7b:18:27:5b:cd:44:7f: a2:e4:ef:18:fc:71:fb:1f:9b:df:34:57:08:66:4e: 5d:02:91:ec:14:29:9f:8d:4f:3e:3e:eb:38:38:ac: 85:bc:20:fa:9e:33:bb:0a:6c:79:c4:b1:45:81:64: bc:6f:1e:40:4a:58:75:bc:87 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: OCSP Signing Signature Algorithm: md5WithRSAEncryption 54:f0:69:2d:73:51:f9:42:5b:be:2a:a7:a3:74:db:7a:ca:15: 87:e0:a2:34:06:30:53:44:d8:08:89:38:4b:d2:2e:f1:d9:4d: fc:fc:47:5b:d5:5f:c8:66:7b:5f:5c:e7:1f:0e:55:b9:9a:0b: df:50:42:c1:95:ae:6a:a5:8a:0f:0b:2f:13:73:4f:c9:56:21: 8f:54:a3:52:1c:45:55:4f:6d:49:ed:2f:45:16:c2:3f:22:af: 63:36:72:56:8c:4e:45:9b:fb:3a:67:1d:2d:b9:65:0e:10:e3: a6:57:c6:ba:ac:48:d0:f1:42:fc:3a:d4:07:d1:14:a0:2b:53: 99:f8 -----BEGIN CERTIFICATE----- MIICJjCCAY+gAwIBAgICEAAwDQYJKoZIhvcNAQEEBQAwQDELMAkGA1UEBhMCQVUx EzARBgNVBAgTClNvbWUtU3RhdGUxHDAaBgNVBAoTE1JlZHBhdGggQ29ycG9yYXRp b24wHhcNMTMwNzE4MTEyOTIxWhcNMTQwNzE4MTEyOTIxWjBAMQswCQYDVQQGEwJB VTETMBEGA1UECBMKU29tZS1TdGF0ZTEcMBoGA1UEChMTUmVkcGF0aCBDb3Jwb3Jh dGlvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtALGLMmCsMAcbtK4HRh6 bUFdW5RbqlCtScFJZNRrjts0dIjg5nhlPC9i0cB7oRnGLnmZmTJ3CXH92OlEEgk2 iEQi43sYJ1vNRH+i5O8Y/HH7H5vfNFcIZk5dApHsFCmfjU8+Pus4OKyFvCD6njO7 Cmx5xLFFgWS8bx5ASlh1vIcCAwEAAaMvMC0wCQYDVR0TBAIwADALBgNVHQ8EBAMC BeAwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQEEBQADgYEAVPBpLXNR +UJbviqno3TbesoVh+CiNAYwU0TYCIk4S9Iu8dlN/PxHW9VfyGZ7X1znHw5VuZoL 31BCwZWuaqWKDwsvE3NPyVYhj1SjUhxFVU9tSe0vRRbCPyKvYzZyVoxORZv7Omcd LbllDhDjplfGuqxI0PFC/DrUB9EUoCtTmfg= -----END CERTIFICATE----- I then run this command *openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1000 -text * OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: *D56D19422F523984CFB9477E7D39A8176AE3811C* Issuer Key Hash: 83551DA56838E8893B6BCDD70865A9F23167F4E0 Serial Number: *1000* Request Extensions: OCSP Nonce: 04107A6A2A916348D63165C7C18889AC06CC *openssl version* OpenSSL 1.0.1e 11 Feb 2013 ***********I still get unknown as a response.******** Myconfig.cnf that I used consistently. *cat myconfig.cnf* # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] unique_subject = no #redpath added dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = optional emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional #################################################################### [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = AU countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Some-State localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Redpath Corporation # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] authorityInfoAccess = OCSP;URI:http://127.0.0.1:8082 # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always [ v3_OCSP ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = OCSPSigning -- View this message in context: http://openssl.6102.n7.nabble.com/OSCP-request-tp45835p45866.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org