On Wed, Jun 23, 2004, Christian Weber wrote: > OK, the previous answer was pretty fast - thank you. > > Now there´s another stupid question: why does the command > > >openssl ocsp -respin ocsp.resp -CAfile CAs.pem > > lead to > > >Response Verify Failure > >19961:error:27069070:OCSP routines:OCSP_basic_verify:root ca not > >trusted:ocsp_vfy.c:148: > > though the correct root ca cert (CN=6R-Ca 1:PN) is contained in CAs.pem ? > > The cert seems to be valid and the chain seems to be complete. > What´s wrong? >
The responder certificate needs to follow the RFC rules. It needs to be either the CA certificate of the certificate whose status is being checked, one delegated by that CA (with the correct extensions) or one explicitly trusted by local configuration. Also that CA chain violates RFC3280 by the look of it: no basicConstraints extensions in CA certificates. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
