*To recap I cleaned all the directories to assure nothing is wrong in them.*
*I still get a unknown response.*
These commands were run from a directory and produced the following output
to setup the OpenSSL OCSP Server
*rm -R demoCA
mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
cd
On Thu, Jul 18, 2013, redpath wrote:
*To recap I cleaned all the directories to assure nothing is wrong in them.*
*I still get a unknown response.*
These commands were run from a directory and produced the following output
to setup the OpenSSL OCSP Server
*The output of the server is*
On Thu, Jul 18, 2013, redpath wrote:
I then run this command
*openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1000 -text *
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash:
Yes this does work good
openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1000 -text -url
http://127.0.0.1:8082
and returns the good though there is a verify failure.
Response Verify Failure
140735283018172:error:27069065:OCSP routines:OCSP_basic_verify:certificate
verify
*I found the issue and fixed it but that leads to a question of security*
The error is here. The x509 that I want to check I also provide as the
issuer
since it was issued by the same issuer.
x == is the X509 loaded
req-url = url;
req-cert = x;
req-issuer = x;
but instead I
From: owner-openssl-us...@openssl.org On Behalf Of redpath
Sent: Thursday, 18 July, 2013 11:03
*I found the issue and fixed it but that leads to a question
of security*
The error is here. The x509 that I want to check I also provide as the
issuer
since it was issued by the same issuer.
*Thanks for the quick answer*, actually command line is good as it would be
done in a
child process using a secure vault for password creation that no admin knows
anyway or makes up.
No human is involved is always the best solution. Can't trust those humans.
thanks.
I enclosed the correct code
Got the OCSP Server to respond to the test OCSP request program nicely.
*Of course one more question.*
I simply had to setup the infrastructure for the OSCP server excerpted
below.
to create the signing key and directories.
mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
chmod demoCA
On Wed, Jul 17, 2013, redpath wrote:
Got the OCSP Server to respond to the test OCSP request program nicely.
*Of course one more question.*
I simply had to setup the infrastructure for the OSCP server excerpted
below.
to create the signing key and directories.
mkdir demoCA
mkdir
To make this more clear, I simply have an X509 and want to programmatically
create a OSCP request to check status for the cert.
There are no examples other than openssl commands, I have a program on a
device and
need to programmatically check x509 periodically.
Thanks in advance.
--
View
There are no examples other than openssl commands, I have a program on a
device and need to programmatically check x509 periodically.
That is generally true of most openssl-based applications
You'll have to start by reading and learning apps/ocsp.c
/r$
--
Principal Security
On Tue, Jul 16, 2013, redpath wrote:
To make this more clear, I simply have an X509 and want to programmatically
create a OSCP request to check status for the cert.
You also need the CA certificate as the hash of the CA public key is
needed.
There are no examples other than openssl
I was able to piece together a test application (enclosed below) which loads
an x509 file and performs
an OSCP request programmatically. I created a server to dump what is written
at the port.
The result is shown below.
POST
[ /][Content-Type:application/ocsp-request]
[Content-Length:113]
From: owner-openssl-us...@openssl.org On Behalf Of redpath
Sent: Tuesday, 16 July, 2013 11:13
I was able to piece together a test application (enclosed
below) which loads an x509 file and performs
an OSCP request programmatically. I created a server to dump
what is written at the port.
14 matches
Mail list logo