Hi, 0.9.8b
I'm doing some OCSP testing and I had a little confusion with OCSP response validation. If you leave out -CAfile on the request then the validation fails even in the simple case where the CA is the same as the issuer. The examples in the ocsp(1) doc should include a request that includes the -CAfile argument to make it succeed e.g: openssl ocsp -issuer demoCA/cacert.pem -CAfile demoCA/cacert.pem -url http://localhost:8888 -serial 1 This will work when the server is run as shown in the samples section. If -CAfile is left out then you get a validation error. If you use -CA (a server argument) then it also fails and this is pretty confusing. Note: A sample of how to make a OCSP responder cert with OCSPSigning in the extended key usage would be nice too. When I work this bit out I can send in a sample for that if that helps. Simon McMahon ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
