Hi,
Is the following command for requesting OCSP status using openSSL is correct?
1) "ocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem".
If i change above command, BY REMOVING OCSPServer.pem file i am getting status as good but with a message stating that "unable to get local issuer certificate"
But when i change my OCSP responder to verisign like
"ocsp -url http://ocsp.verisign.com -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem"{1}.
i am getting "Responder Error: Unauthorized<6>" which means unauthorized request.
So for getting OCSP response from verisign, what should we do, like to overcome this error.
Also you said "The responder is saying that its response is valid between those dates: so it
is sending out of date information.". So what should we need to do get latest status information from OCSP responder. Something without like this
is sending out of date information.". So what should we need to do get latest status information from OCSP responder. Something without like this
user.pem:WARNING: Status times invalid.
> 3220:error:2707307D:OCSP
> routines:OCSP_check_validity:status
> expired:.\crypto\ocsp\ocsp_cl.c:357:
> unknown
> This Update: Oct 24 06:00:11 2004 GMT
> Next Update: Oct 25 06:00:11 2004 GMT
> 3220:error:2707307D:OCSP
> routines:OCSP_check_validity:status
> expired:.\crypto\ocsp\ocsp_cl.c:357:
> unknown
> This Update: Oct 24 06:00:11 2004 GMT
> Next Update: Oct 25 06:00:11 2004 GMT
I would be grateful to you if you would answer my questions
Thanks
On 8/17/05, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Tue, Aug 16, 2005, varma d wrote:
>
> But, In this command what is the purpose of OCSPServer.pem , i still dont
> understand the purpose of OCSPServer.pem as we need to just send our request
> and expect a response from OCSP responder irrespective of OCSPServer.pemfile.
>
This is an issue of how you trust the reponse from the OCSP responder. There
are three cases:
1. Response signed by the same key as the CA that issued the certificate.
2. Response signed by a key in a certificate delegated by the issuing CA.
3. A key locally configured as trusted.
In case #1 and #2 the trust can be determined automatically from the
certificate being validated.
In case #3 the relevant key needs to be determined by some other means.
So its a case of how the responder is configured. In some cases the responder
is misconfigured and you have to use option #3.
> 2)I tested by giving latest user certificates other than
> openvalidation.org< http://openvalidation.org>certificates, but i am
> getting this error
>
> user.pem:WARNING: Status times invalid.
> 3220:error:2707307D:OCSP
> routines:OCSP_check_validity:status
> expired:.\crypto\ocsp\ocsp_cl.c:357:
> unknown
> This Update: Oct 24 06:00:11 2004 GMT
> Next Update: Oct 25 06:00:11 2004 GMT
>
The responder is saying that its response is valid between those dates: so it
is sending out of date information.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
