Re: Can anyone explain this OCSP error?

Fri, 29 Sep 2023 03:04:42 -0700 

Charles,
What AIA info does your certificate have, for example  authorityInfoAccess
= OCSP;URI:http://10.1.0.2:2000

Is your OCSP server running with the URL in the AIA info?

Colin

On Fri, 29 Sept 2023 at 00:34, Charles Mills <charl...@mcn.org> wrote:

> X-Posted IBM-MAIN and RACF-L. It’s not really a RACF issue, but the right
> folks may be hanging out there.
>
> I am trying to educate myself on OCSP.
>
> In the AT-TLS config I code
>
> TTLSEnvironmentAction CAM_FTP_Env
> {
>   ...
>   TTLSGskAdvancedParmsRef CAM_FTP_GSK_Adv_Parms
> }
> ...
> TTLSGskAdvancedParms  CAM_FTP_GSK_Adv_Parms
> {
>   TTLSGskOcspParmsRef CAM_FTP_OCSP_Test
> }
> TTLSGskOcspParms   CAM_FTP_OCSP_Test
> {
>  OcspAiaEnable On
> }
>
> I then run an FTP to public.dhe.ibm.com port 21
>
>
> It fails with
>
> EZD2052I TTLS Certificate Diagnostics GRPID: 00000004 ENVID: 0000004A
> CONNID: 00002FD2 SSLRetCode= 8 CMSRetCode= 0x03353026 Description=
> Using AIA OCSP, certificate's revocation status could not be
> determined. See CMS return code SubjectDN= <CN=public.dhe.ibm.com,O=In
> ternational Business Machines Corporation,L=Armonk,ST=New York,C=US>
> IssuerDN= <CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US>
> SerialNumber= 04f4061646aa7287a997de4e74d1fd9d CertificateSource=
>
> CMS RC 0x3353026 says
> Explanation
> The key usage certificate extension does not permit the requested key
> operation.
> User response
> Obtain a certificate, which allows the requested key operation.
>
> However both the DigiCert root and intermediate have keyUsage of both
> Digital Signature and CRL signature, which I believe should be sufficient
> authority to sign an OCSP response.
>
> If I am right it seems like there is an error in System SSL (z/OS V2R5).
>
> The alternative -- that I am wrong -- says that DigiCert does not know
> what they are doing, which seems implausible to me.
>
> Any wisdom from these groups?
>
> https://www.ibm.com/support/pages/apar/OA55141 looks close but it is old
> (2018) and I am on a reasonably up-to-date V2R5.
>
> Charles
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to