Hi Paul, Thats great. Thanks for your quick response. What is tgv.pem file. how can we get that file.
Thanks in advance, Varma On 8/24/05, Paul Simon <[EMAIL PROTECTED]> wrote: > Maybe your URL is wrong. I just tried this: > > openssl ocsp -issuer VeriSignClientECA.pem -url > http://ocsp.verisign.com -cert eca_usr_cert.pem > -VAfile tgv.pem -no_nonce -text > > and it works fine as follows: > > D:\prjs\ocsp\newEcaCA>openssl ocsp -issuer > VeriSignClientECA.pem -url http://ocs > p.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem > -no_nonce -text > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: > 75EB8BF61A586BADD9044359324DAC621F5B59C8 > Issuer Key Hash: > 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 > Serial Number: > 1B148220FC005FD035E866279AE682BE > OCSP Response Data: > OCSP Response Status: successful (0x0) > Response Type: Basic OCSP Response > Version: 1 (0x0) > Responder Id: C = US, O = U.S. Government, OU = > ECA, OU = "VeriSign, Inc.", > CN = VeriSign Client ECA OCSP Responder > Produced At: Aug 23 17:10:46 2005 GMT > Responses: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: > 75EB8BF61A586BADD9044359324DAC621F5B59C8 > Issuer Key Hash: > 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 > Serial Number: 1B148220FC005FD035E866279AE682BE > Cert Status: good > This Update: Aug 23 17:10:46 2005 GMT > Next Update: Aug 30 17:10:46 2005 GMT > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > > 0f:74:76:24:82:2a:30:ad:35:fc:45:8b:13:36:4b:0b > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=US, O=U.S. Government, OU=ECA, > OU=Certification Authorities, C > N=VeriSign Client External Certification Authority > Validity > Not Before: Aug 16 00:00:00 2005 GMT > Not After : Sep 15 23:59:59 2005 GMT > Subject: C=US, O=U.S. Government, OU=ECA, > OU=VeriSign, Inc., CN=VeriSign > Client ECA OCSP Responder > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > > 00:ce:b3:b0:95:33:73:1f:2a:f5:a7:63:6b:2f:5d: > > 04:66:13:df:35:b9:60:9a:92:a8:16:53:99:bd:70: > > a5:9c:34:3f:f4:91:05:a1:15:28:51:38:1c:d3:d5: > > cc:d5:82:fb:43:74:7f:84:6e:41:77:39:a6:be:46: > > d5:fb:ef:91:10:6b:ab:b9:20:0d:dd:0a:bd:5a:f9: > > e4:2b:e2:43:4f:c9:30:00:89:c7:cf:80:a9:76:93: > > 03:08:03:12:70:a5:76:86:c1:1d:3d:60:12:f5:2f: > > de:9c:9d:a3:2b:ad:22:51:1f:b9:5c:7a:fd:8d:a6: > c4:b3:1a:50:69:8c:dc:26:93 > Exponent: 65537 (0x10001) > X509v3 extensions: > Authority Information Access: > CA Issuers - > URI:https://eca.verisign.com/CA/VeriSignECA.cer > > X509v3 Certificate Policies: > Policy: 2.16.840.1.101.3.2.1.12.2 > CPS: > https://www.verisign.com/repository/eca/cps > > X509v3 Extended Key Usage: critical > OCSP Signing > X509v3 Key Usage: critical > Digital Signature, Non Repudiation > OCSP No Check: > > X509v3 Subject Alternative Name: > DirName:/CN=OCSP2-TGV-1-141 > X509v3 Subject Key Identifier: > > 30:EF:0D:8E:CD:58:05:E9:73:96:06:4E:63:48:F9:24:59:82:41:D4 > X509v3 Authority Key Identifier: > > keyid:0D:C0:D8:3D:BF:FB:65:93:C8:37:66:26:E2:8A:12:5F:BB:C2:80:F > 5 > > Signature Algorithm: sha1WithRSAEncryption > > 6b:8d:79:7a:b3:d5:1d:e7:0e:ac:18:e7:f0:b4:fc:b4:cf:03: > > cf:f2:de:e0:93:b9:60:99:ab:b3:52:96:85:dc:34:20:f0:78: > > d8:24:c8:b3:71:25:f2:90:8d:7f:dc:00:7e:25:92:fd:e0:26: > > fa:3d:99:a1:89:86:a0:09:fe:0a:20:34:0a:68:31:cd:60:9d: > > 63:a1:d9:2f:36:7c:4d:74:cc:ca:91:65:cb:a5:1f:5f:3a:e4: > > e4:73:67:9b:8e:50:ec:33:28:37:4c:05:33:a8:84:3e:63:7c: > > 3d:c5:cd:90:c3:72:99:99:7e:e8:e9:67:42:3c:1b:e6:6f:a5: > 6d:37 > -----BEGIN CERTIFICATE----- > MIID2jCCA0OgAwIBAgIQD3R2JIIqMK01/EWLEzZLCzANBgkqhkiG9w0BAQUFADCB > lDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE > CxMDRUNBMSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMTkwNwYD > VQQDEzBWZXJpU2lnbiBDbGllbnQgRXh0ZXJuYWwgQ2VydGlmaWNhdGlvbiBBdXRo > b3JpdHkwHhcNMDUwODE2MDAwMDAwWhcNMDUwOTE1MjM1OTU5WjB7MQswCQYDVQQG > EwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNFQ0ExFzAV > BgNVBAsTDlZlcmlTaWduLCBJbmMuMSswKQYDVQQDEyJWZXJpU2lnbiBDbGllbnQg > RUNBIE9DU1AgUmVzcG9uZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO > s7CVM3MfKvWnY2svXQRmE981uWCakqgWU5m9cKWcND/0kQWhFShROBzT1czVgvtD > dH+EbkF3Oaa+RtX775EQa6u5IA3dCr1a+eQr4kNPyTAAicfPgKl2kwMIAxJwpXaG > wR09YBL1L96cnaMrrSJRH7lcev2NpsSzGlBpjNwmkwIDAQABo4IBQzCCAT8wRwYI > KwYBBQUHAQEEOzA5MDcGCCsGAQUFBzAChitodHRwczovL2VjYS52ZXJpc2lnbi5j > b20vQ0EvVmVyaVNpZ25FQ0EuY2VyMFIGA1UdIARLMEkwRwYKYIZIAWUDAgEMAjA5 > MDcGCCsGAQUFBwIBFitodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y > eS9lY2EvY3BzMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMJMA4GA1UdDwEB/wQEAwIG > wDAPBgkrBgEFBQcwAQUEAgUAMCcGA1UdEQQgMB6kHDAaMRgwFgYDVQQDEw9PQ1NQ > Mi1UR1YtMS0xNDEwHQYDVR0OBBYEFDDvDY7NWAXpc5YGTmNI+SRZgkHUMB8GA1Ud > IwQYMBaAFA3A2D2/+2WTyDdmJuKKEl+7woD1MA0GCSqGSIb3DQEBBQUAA4GBAGuN > eXqz1R3nDqwY5/C0/LTPA8/y3uCTuWCZq7NSloXcNCDweNgkyLNxJfKQjX/cAH4l > kv3gJvo9maGJhqAJ/gogNApoMc1gnWOh2S82fE10zMqRZculH1865ORzZ5uOUOwz > KDdMBTOohD5jfD3FzZDDcpmZfujpZ0I8G+ZvpW03 > -----END CERTIFICATE----- > Response verify OK > eca_usr_cert.pem: good > This Update: Aug 23 17:10:46 2005 GMT > Next Update: Aug 30 17:10:46 2005 GMT > > --- varma d <[EMAIL PROTECTED]> wrote: > > > Hi, > > Thanks a lot prakash for your reply. Actually my > > application works in this > > way > > 1) I will get the x.509 certificate from any > > server(lets say) > > yahoo.com<http://yahoo.com>, > > now from that i will extract yahoo.com > > <http://yahoo.com> user > > certificate(may be issued by verisign or others), > > issuers root certificate. > > 2) Now i need to check the OCSP status of these > > individual certificates > > 3) Since verisign is an OCSP responder i just want > > to query > > ocsp.verisign.com <http://ocsp.verisign.com> for > > these individual > > certificates. > > > > but while i was trying with your command > > > > openssl ocsp -url http://ocsp.verisign.com:8080 > > -issuer ROOT_CA.pem -VAfile > > OCSPServer.pem -cert User.pem > > > > I am getting an error message like > > > > "Error Querying OCSP responder > > .... > > 3256: .. Connect error..." > > > > But when i am trying with same command and same > > certificates to > > ocsp.openvalidation.org > > <http://ocsp.openvalidation.org> i am getting status > > > > information.But only problem with openvalidation is > > that they dont have > > up-to-date information(for some cases). > > > > Are there are any public ocsp responder where i can > > query them instead of > > ocsp.versign.com <http://ocsp.versign.com>. > > > > I would be grateful to you if you would give a > > reply. > > > > Thanks in Advance > > > > Thanks, > > Varma > > > > > > On 8/24/05, prakash babu <[EMAIL PROTECTED]> > > wrote: > > > > > > Hi, > > > The -Vafile option is used for explicitly > > trusting the responder > > > certificate of the ocsp server > > > So if you omit this option you will get the > > "unable to get local issuer > > > certificate" error. > > > > > > To get this command working > > > openssl ocsp -url http://ocsp.verisign.com:8080 > > -issuer ROOT_CA.pem > > > -VAfile OCSPServer.pem -cert User.pem > > > 1. First you must get a certificate from Verisign > > -User.pem > > > 2. Get the CA certificate that was used to sign > > your request - ROOT_CA.pem > > > 3. Trust the Verisign OCSP responder certficate - > > OCSPServer.pem > > > --Prakash > > > > > > *varma d <[EMAIL PROTECTED]>* wrote: > > > > > > Hi, > > > Today i was very much excited to see this mailing > > list on openSSL. I > > > searched several messages and its great to see > > that people here are helping > > > others. > > > I need your help. > > > > > > I read tutorials on OCSP from > > http://openvalidation.org about using OCSP > > > in openssl, > > > I have couple of questions. > > > 1) I used the following command to send OCSP > > request and get response from > > > OCSP responder. > > > > > > openSSL>ocsp -url http://ocsp.openvalidation.org > > -issuer ROOT_CA.pem > > > -VAfile OCSPServer.pem -cert User.pem > > > > > > When i am executing this command , i am getting > > response from OCSP > > > responder stating that certificate status is good. > > > > > (i have taken this command/files from > > > openvalidation.org<http://openvalidation.org/>(http://www.openvalidation.org/useserviceopenssl.htm) > > > > > ) > > > > > > But, In this command what is the purpose of > > OCSPServer.pem, i still dont > > > understand the purpose of OCSPServer.pem as we > > need to just send our > > > request and expect a response from OCSP responder > > irrespective of > > > OCSPServer.pem file. > > > > > > If i give my URL as http://ocsp.verisign.com, how > > can i get verisign's > > > OCSPServer.pem. Also how can i get > > > latest OCSPServer.pem file for the given URL. > > > > > > 2)I tested by giving latest user certificates > > other than > > > openvalidation.org <http://openvalidation.org/> > > certificates, but i am > > > getting this error > > > > > > user.pem:WARNING: Status times invalid. > > > 3220:error:2707307D:OCSP > > > routines:OCSP_check_validity:status > > > expired:.\crypto\ocsp\ocsp_cl.c:357: > > > unknown > > > This Update: Oct 24 06:00:11 2004 GMT > > > Next Update: Oct 25 06:00:11 2004 GMT > > > > > > For this do i need to update my OCSPServer.pem > > file > > > > > > > > > Thank you for your time and consideration > > > > > > I would be grateful to you if you would help me > > out as i am spending a lot > > > of time on understanding this. > > > > > > Please help me out. > > > > > > Thanks, > > > vv > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam > > protection around > > > http://mail.yahoo.com > > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
