*openssl Configuration question:*
I am using these command to create a CA signed cert.
openssl req -new -nodes -out my.csr -days 730 -keyout
mykey.pem
-batch *-extensions * v3_OCSP -config configname.cnf
openssl ca -out *mycert.pem* -in my.csr -passin pass:password -config
configname.cnf
-batch -cert CAcert.pem
*Then I use an OCSP to verify them of which those certs were created the
same way and the CA is given to the OCSP.*
openssl ocsp -CAfile CAcert.pem -issuer CAcert.pem -cert *mycert.pem* -url
http://127.0.0.1:2560 -resp_text
*Result*
Response Verify Failure
140735319386556:error:2706A067:OCSP routines:OCSP_CHECK_DELEGATED:missing
ocspsigning usage:ocsp_vfy.c:354:
140735319386556:error:27069070:OCSP routines:OCSP_basic_verify:root ca not
trusted:ocsp_vfy.c:152:
mycerm: good
This Update: Aug 21 22:18:53 2013 GMT
Next Update: Aug 21 22:23:53 2013 GMT
*If I use the -noverify option*
openssl ocsp -CAfile CAcert.pem -issuer CAcert.pem -cert mycert.pem -url
http://127.0.0.1:2560 -resp_text *-*noverify
*Result*
mycert.pem: good
This Update: Aug 21 22:18:28 2013 GMT
Next Update: Aug 21 22:23:28 2013 GMT
*My answer is good with no error when using the -noverify*
*My config has this in it*
*[ CA_default ]*
unique_subject = no
*[ v3_req ]*
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
*[ v3_OCSP ]*
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
*I am sure there is something I am missing in the config or the command line
creating the certs, I am using the -extensions option*
--
View this message in context:
http://openssl.6102.n7.nabble.com/OPENSSL-Config-file-OCSP-CHECK-DELEGATED-missing-ocspsigning-usage-tp46275.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
