On Tue, Aug 16, 2005, varma d wrote: > > But, In this command what is the purpose of OCSPServer.pem, i still dont > understand the purpose of OCSPServer.pem as we need to just send our request > and expect a response from OCSP responder irrespective of OCSPServer.pemfile. >
This is an issue of how you trust the reponse from the OCSP responder. There are three cases: 1. Response signed by the same key as the CA that issued the certificate. 2. Response signed by a key in a certificate delegated by the issuing CA. 3. A key locally configured as trusted. In case #1 and #2 the trust can be determined automatically from the certificate being validated. In case #3 the relevant key needs to be determined by some other means. So its a case of how the responder is configured. In some cases the responder is misconfigured and you have to use option #3. > 2)I tested by giving latest user certificates other than > openvalidation.org<http://openvalidation.org>certificates, but i am > getting this error > > user.pem:WARNING: Status times invalid. > 3220:error:2707307D:OCSP > routines:OCSP_check_validity:status > expired:.\crypto\ocsp\ocsp_cl.c:357: > unknown > This Update: Oct 24 06:00:11 2004 GMT > Next Update: Oct 25 06:00:11 2004 GMT > The responder is saying that its response is valid between those dates: so it is sending out of date information. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
