Re: please help me on OCSP
Hi, The -Vafile option is used for explicitly trusting the responder certificate of the ocsp serverSo if you omit this option you will get the "unable to get local issuer certificate" error. To get this command workingopenssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem 1. First you must get a certificate from Verisign -User.pem2. Get the CA certificate that was used to sign your request - ROOT_CA.pem3. Trust the Verisign OCSP responder certficate - OCSPServer.pem --Prakash varma d [EMAIL PROTECTED] wrote: Hi,Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others.I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl,I have couple of questions.1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pemWhen i am executing this command , i am getting response from OCSP responder stating that certificate status is good. (i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) )But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i getlatest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:270730 7D:OCSP routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357:unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this.Please help me out.Thanks,vv__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: please help me on OCSP
Hi, Thanks a lot prakash for your reply. Actually my application works in this way1) I will get the x.509 certificate from any server(lets say) yahoo.com, now from that i will extract yahoo.com user certificate(may be issued by verisign or others), issuers root certificate.2) Now i need to check the OCSP status of these individual certificates3) Since verisign is an OCSP responder i just want to query ocsp.verisign.com for these individual certificates. but while i was trying with your command openssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem I am getting an error message like Error Querying OCSP responder3256: .. Connect error... But when i am trying with same command and same certificates to ocsp.openvalidation.org i am getting status information.But only problem with openvalidation is that they dont have up-to-date information(for some cases). Are there are any public ocsp responder where i can query them instead of ocsp.versign.com. I would be grateful to you if you would give a reply. Thanks in Advance Thanks,Varma On 8/24/05, prakash babu [EMAIL PROTECTED] wrote: Hi, The -Vafile option is used for explicitly trusting the responder certificate of the ocsp serverSo if you omit this option you will get the unable to get local issuer certificate error. To get this command workingopenssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem 1. First you must get a certificate from Verisign -User.pem2. Get the CA certificate that was used to sign your request - ROOT_CA.pem3. Trust the Verisign OCSP responder certficate - OCSPServer.pem --Prakash varma d [EMAIL PROTECTED] wrote: Hi,Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others. I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl, I have couple of questions.1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pemWhen i am executing this command , i am getting response from OCSP responder stating that certificate status is good. (i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) ) But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i get latest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:2707307D:OCSP routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357: unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this. Please help me out.Thanks,vv __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: please help me on OCSP
Maybe your URL is wrong. I just tried this: openssl ocsp -issuer VeriSignClientECA.pem -url http://ocsp.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text and it works fine as follows: D:\prjs\ocsp\newEcaCAopenssl ocsp -issuer VeriSignClientECA.pem -url http://ocs p.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = U.S. Government, OU = ECA, OU = VeriSign, Inc., CN = VeriSign Client ECA OCSP Responder Produced At: Aug 23 17:10:46 2005 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE Cert Status: good This Update: Aug 23 17:10:46 2005 GMT Next Update: Aug 30 17:10:46 2005 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 0f:74:76:24:82:2a:30:ad:35:fc:45:8b:13:36:4b:0b Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=U.S. Government, OU=ECA, OU=Certification Authorities, C N=VeriSign Client External Certification Authority Validity Not Before: Aug 16 00:00:00 2005 GMT Not After : Sep 15 23:59:59 2005 GMT Subject: C=US, O=U.S. Government, OU=ECA, OU=VeriSign, Inc., CN=VeriSign Client ECA OCSP Responder Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:b3:b0:95:33:73:1f:2a:f5:a7:63:6b:2f:5d: 04:66:13:df:35:b9:60:9a:92:a8:16:53:99:bd:70: a5:9c:34:3f:f4:91:05:a1:15:28:51:38:1c:d3:d5: cc:d5:82:fb:43:74:7f:84:6e:41:77:39:a6:be:46: d5:fb:ef:91:10:6b:ab:b9:20:0d:dd:0a:bd:5a:f9: e4:2b:e2:43:4f:c9:30:00:89:c7:cf:80:a9:76:93: 03:08:03:12:70:a5:76:86:c1:1d:3d:60:12:f5:2f: de:9c:9d:a3:2b:ad:22:51:1f:b9:5c:7a:fd:8d:a6: c4:b3:1a:50:69:8c:dc:26:93 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:https://eca.verisign.com/CA/VeriSignECA.cer X509v3 Certificate Policies: Policy: 2.16.840.1.101.3.2.1.12.2 CPS: https://www.verisign.com/repository/eca/cps X509v3 Extended Key Usage: critical OCSP Signing X509v3 Key Usage: critical Digital Signature, Non Repudiation OCSP No Check: X509v3 Subject Alternative Name: DirName:/CN=OCSP2-TGV-1-141 X509v3 Subject Key Identifier: 30:EF:0D:8E:CD:58:05:E9:73:96:06:4E:63:48:F9:24:59:82:41:D4 X509v3 Authority Key Identifier: keyid:0D:C0:D8:3D:BF:FB:65:93:C8:37:66:26:E2:8A:12:5F:BB:C2:80:F 5 Signature Algorithm: sha1WithRSAEncryption 6b:8d:79:7a:b3:d5:1d:e7:0e:ac:18:e7:f0:b4:fc:b4:cf:03: cf:f2:de:e0:93:b9:60:99:ab:b3:52:96:85:dc:34:20:f0:78: d8:24:c8:b3:71:25:f2:90:8d:7f:dc:00:7e:25:92:fd:e0:26: fa:3d:99:a1:89:86:a0:09:fe:0a:20:34:0a:68:31:cd:60:9d: 63:a1:d9:2f:36:7c:4d:74:cc:ca:91:65:cb:a5:1f:5f:3a:e4: e4:73:67:9b:8e:50:ec:33:28:37:4c:05:33:a8:84:3e:63:7c: 3d:c5:cd:90:c3:72:99:99:7e:e8:e9:67:42:3c:1b:e6:6f:a5: 6d:37 -BEGIN CERTIFICATE- MIID2jCCA0OgAwIBAgIQD3R2JIIqMK01/EWLEzZLCzANBgkqhkiG9w0BAQUFADCB lDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE CxMDRUNBMSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMTkwNwYD VQQDEzBWZXJpU2lnbiBDbGllbnQgRXh0ZXJuYWwgQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkwHhcNMDUwODE2MDAwMDAwWhcNMDUwOTE1MjM1OTU5WjB7MQswCQYDVQQG EwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNFQ0ExFzAV BgNVBAsTDlZlcmlTaWduLCBJbmMuMSswKQYDVQQDEyJWZXJpU2lnbiBDbGllbnQg RUNBIE9DU1AgUmVzcG9uZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO s7CVM3MfKvWnY2svXQRmE981uWCakqgWU5m9cKWcND/0kQWhFShROBzT1czVgvtD dH+EbkF3Oaa+RtX775EQa6u5IA3dCr1a+eQr4kNPyTAAicfPgKl2kwMIAxJwpXaG wR09YBL1L96cnaMrrSJRH7lcev2NpsSzGlBpjNwmkwIDAQABo4IBQzCCAT8wRwYI KwYBBQUHAQEEOzA5MDcGCCsGAQUFBzAChitodHRwczovL2VjYS52ZXJpc2lnbi5j b20vQ0EvVmVyaVNpZ25FQ0EuY2VyMFIGA1UdIARLMEkwRwYKYIZIAWUDAgEMAjA5 MDcGCCsGAQUFBwIBFitodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y eS9lY2EvY3BzMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMJMA4GA1UdDwEB/wQEAwIG
Re: please help me on OCSP
It is the OCSP responder cert. I suppose you already have that, right? Or you can use this one which will expire on Sep 15, 2005 though. -BEGIN CERTIFICATE- MIID2jCCA0OgAwIBAgIQaVnCDg78Yj+N1V5h9xQh0jANBgkqhkiG9w0BAQUFADCB lDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE CxMDRUNBMSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMTkwNwYD VQQDEzBWZXJpU2lnbiBDbGllbnQgRXh0ZXJuYWwgQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkwHhcNMDUwNTI2MDAwMDAwWhcNMDUwNjI1MjM1OTU5WjB7MQswCQYDVQQG EwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNFQ0ExFzAV BgNVBAsTDlZlcmlTaWduLCBJbmMuMSswKQYDVQQDEyJWZXJpU2lnbiBDbGllbnQg RUNBIE9DU1AgUmVzcG9uZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO s7CVM3MfKvWnY2svXQRmE981uWCakqgWU5m9cKWcND/0kQWhFShROBzT1czVgvtD dH+EbkF3Oaa+RtX775EQa6u5IA3dCr1a+eQr4kNPyTAAicfPgKl2kwMIAxJwpXaG wR09YBL1L96cnaMrrSJRH7lcev2NpsSzGlBpjNwmkwIDAQABo4IBQzCCAT8wRwYI KwYBBQUHAQEEOzA5MDcGCCsGAQUFBzAChitodHRwczovL2VjYS52ZXJpc2lnbi5j b20vQ0EvVmVyaVNpZ25FQ0EuY2VyMFIGA1UdIARLMEkwRwYKYIZIAWUDAgEMAjA5 MDcGCCsGAQUFBwIBFitodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y eS9lY2EvY3BzMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMJMA4GA1UdDwEB/wQEAwIG wDAPBgkrBgEFBQcwAQUEAgUAMCcGA1UdEQQgMB6kHDAaMRgwFgYDVQQDEw9PQ1NQ Mi1UR1YtMS0xNDEwHQYDVR0OBBYEFDDvDY7NWAXpc5YGTmNI+SRZgkHUMB8GA1Ud IwQYMBaAFA3A2D2/+2WTyDdmJuKKEl+7woD1MA0GCSqGSIb3DQEBBQUAA4GBAHrP OjxDB35f/2+cORsVIl1oVPy71CaCnJ32KDxlEIRSW7sn4BIkBLfr2Un5ozt7SXzz 6qw5I/hIyT1ADaLjpQubN6H+Oxk6ve6xw1JPuDMLHnABLeF+GzLSs2UxFr3bl4AE gAnMe402U2NJZBJhvvHu+YWdT4cDohuSqEeu+x5R -END CERTIFICATE- --- satish danduvarma [EMAIL PROTECTED] wrote: Hi Paul, Thats great. Thanks for your quick response. What is tgv.pem file. how can we get that file. Thanks in advance, Varma On 8/24/05, Paul Simon [EMAIL PROTECTED] wrote: Maybe your URL is wrong. I just tried this: openssl ocsp -issuer VeriSignClientECA.pem -url http://ocsp.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text and it works fine as follows: D:\prjs\ocsp\newEcaCAopenssl ocsp -issuer VeriSignClientECA.pem -url http://ocs p.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = U.S. Government, OU = ECA, OU = VeriSign, Inc., CN = VeriSign Client ECA OCSP Responder Produced At: Aug 23 17:10:46 2005 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE Cert Status: good This Update: Aug 23 17:10:46 2005 GMT Next Update: Aug 30 17:10:46 2005 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 0f:74:76:24:82:2a:30:ad:35:fc:45:8b:13:36:4b:0b Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=U.S. Government, OU=ECA, OU=Certification Authorities, C N=VeriSign Client External Certification Authority Validity Not Before: Aug 16 00:00:00 2005 GMT Not After : Sep 15 23:59:59 2005 GMT Subject: C=US, O=U.S. Government, OU=ECA, OU=VeriSign, Inc., CN=VeriSign Client ECA OCSP Responder Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:b3:b0:95:33:73:1f:2a:f5:a7:63:6b:2f:5d: 04:66:13:df:35:b9:60:9a:92:a8:16:53:99:bd:70: a5:9c:34:3f:f4:91:05:a1:15:28:51:38:1c:d3:d5: cc:d5:82:fb:43:74:7f:84:6e:41:77:39:a6:be:46: d5:fb:ef:91:10:6b:ab:b9:20:0d:dd:0a:bd:5a:f9: e4:2b:e2:43:4f:c9:30:00:89:c7:cf:80:a9:76:93: 03:08:03:12:70:a5:76:86:c1:1d:3d:60:12:f5:2f: de:9c:9d:a3:2b:ad:22:51:1f:b9:5c:7a:fd:8d:a6: c4:b3:1a:50:69:8c:dc:26:93 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:https://eca.verisign.com/CA/VeriSignECA.cer X509v3 Certificate Policies: Policy: 2.16.840.1.101.3.2.1.12.2 CPS: https://www.verisign.com/repository/eca/cps X509v3 Extended Key Usage: critical OCSP Signing X509v3 Key Usage: critical Digital Signature, Non Repudiation OCSP No Check: X509v3 Subject Alternative Name: DirName:/CN=OCSP2-TGV-1-141 X509v3 Subject Key
please help me on OCSP
Hi,Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others.I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl,I have couple of questions. 1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem When i am executing this command , i am getting response from OCSP responder stating that certificate status is good. (i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) )But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i getlatest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:2707307D:OCSP routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357:unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this. Please help me out. Thanks, vv
Re: please help me on OCSP
On Tue, Aug 16, 2005, varma d wrote: But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pemfile. This is an issue of how you trust the reponse from the OCSP responder. There are three cases: 1. Response signed by the same key as the CA that issued the certificate. 2. Response signed by a key in a certificate delegated by the issuing CA. 3. A key locally configured as trusted. In case #1 and #2 the trust can be determined automatically from the certificate being validated. In case #3 the relevant key needs to be determined by some other means. So its a case of how the responder is configured. In some cases the responder is misconfigured and you have to use option #3. 2)I tested by giving latest user certificates other than openvalidation.orghttp://openvalidation.orgcertificates, but i am getting this error user.pem:WARNING: Status times invalid. 3220:error:2707307D:OCSP routines:OCSP_check_validity:status expired:.\crypto\ocsp\ocsp_cl.c:357: unknown This Update: Oct 24 06:00:11 2004 GMT Next Update: Oct 25 06:00:11 2004 GMT The responder is saying that its response is valid between those dates: so it is sending out of date information. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]