Hi,
The -Vafile option is used for explicitly trusting the responder certificate of the ocsp server
So if you omit this option you will get the "unable to get local issuer certificate" error.
So if you omit this option you will get the "unable to get local issuer certificate" error.
To get this command working
openssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem
1. First you must get a certificate from Verisign -User.pem
2. Get the CA certificate that was used to sign your request - ROOT_CA.pem
3. Trust the Verisign OCSP responder certficate - OCSPServer.pem
2. Get the CA certificate that was used to sign your request - ROOT_CA.pem
3. Trust the Verisign OCSP responder certficate - OCSPServer.pem
--Prakash
varma d <[EMAIL PROTECTED]> wrote:
Hi,
Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others.
I need your help.
I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl,
I have couple of questions.
1) I used the following command to send OCSP request and get response from OCSP responder.
openSSL>ocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem
When i am executing this command , i am getting response from OCSP responder stating that certificate status is good.
(i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) )
But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.
If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i get
latest OCSPServer.pem file for the given URL.
2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this error
user.pem:WARNING: Status times invalid.
3220:error:270730 7D:OCSP
routines:OCSP_check_validity:status
expired:.\crypto\ocsp\ocsp_cl.c:357:
unknown
This Update: Oct 24 06:00:11 2004 GMT
Next Update: Oct 25 06:00:11 2004 GMT
For this do i need to update my OCSPServer.pem file
Thank you for your time and consideration
I would be grateful to you if you would help me out as i am spending a lot of time on understanding this.
Please help me out.
Thanks,
vv
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
