Hi Sowjanya, > hope I am not bugging u. I don't mind a few questions but you probably should ask them on the openssl-user mailing list. Hope you don't mind me posting my answer there, with your questions since it may benefit other ocsp users.
> did u anytime observed (or tried to send through ur own server) that the OCSP server sending the 'Responder Certificate' along with the Response? Yes but I also use a self signed ocsp certificate for my ocsp. You can use a cert signed directly by the CA for the ocsp also and in this case it makes sense to send the cert with the response. If it is self-signed then there is no point sending it with the response. By default the ocsp sends it's certificate with the response but you can make it not do this with the -resp_no_certs. This is the command I use: > openssl ocsp -ignore_err -index index.txt -CA cacert.pem -port 8888 -resp_no_certs -rsigner "ocspss.pem" -text Your port and certs may be different. Because my ocsp cert is self signed that means my client must have ocspss.pem available as a trusted root certificate. If my ocsp cert was signed by the cacert then I could drop the -resp_no_certs (so the ocsp sends its cert) and not have to load the ocsp cert at the client and it would still work as long as the client has the cacert of course. It means every resp is bigger because the cert is sent every time. Response validation takes a little bit longer and you also have to watch out for revocation/ocsp checks on the ocsp responder cert - that's where the "nocheck" extension comes in. You can tune your responder for performance/cert maintenance by choosing between these methods. I just use a self signed trusted ocsp cert because that was easiest for me. The "-text" argument lets you see every ocsp request and response on the responder's console window. This is worth setting so you can see if the cert is being sent with the response and if nonce is being sent etc. The -ignore_err is needed to make the responder keep going if an error, like a bad request, occurs. Regards, Simon McMahon "Sowjanya Malika" <[EMAIL PROTECTED]> 12/13/2006 10:40 PM To Simon McMahon/Australia/Contr/[EMAIL PROTECTED] cc Subject Re: ocsp responder certificate generation documentation( reg) Hi, hope Iam not bugging u. Do u have any idea regarding Multiple SelfSigned Certificates? As of my knowledge we r using SelfSigned Certificates in OCSP to sign the OCSP request. Do u have any other approach where we can use SSCerts? -Sowjanya On 12/13/06, Sowjanya Malika <[EMAIL PROTECTED]> wrote: Hi, did u anytime observed (or tried to send through ur own server) that the OCSP server sending the 'Responder Certificate' along with the Response? Here just Iam using the Openssl commands and started the OCSP Server. Generated and uploaded the CA and SelfCertificates into OCSP Client. And testing was succesfull. But just wanted to know abt the Responder Certificates thanks & regards, Sowjanya On 12/11/06, Sowjanya Malika <[EMAIL PROTECTED] > wrote: Hi, thanks for the infrmation. I will get back to u for any further queries. thanks & regards, Sowjanya. On 12/8/06, Simon McMahon <[EMAIL PROTECTED] > wrote: howto make the OCSP certificate. This is the section I added to my openssl.cnf file. [ ocsp_cert ] # These extensions are added when 'ca' signs a request for an OCSP responder. basicConstraints=CA:FALSE extendedKeyUsage = OCSP Signing noCheck = yes ... Then as my other post said: add "-extensions ocsp_cert" on the "openssl ca" command to generate the cert. The document I referred to is openssl standard doc from the site: http://www.openssl.org/docs/apps/openssl.html This one is good, and recently updated, but never mentions "OCSP Signing" and that is what you need to make the OCSP cert. It does mention noCeck which I also use. http://www.openssl.org/docs/apps/x509v3_config.html# And the OCSP doc: http://www.openssl.org/docs/apps/ocsp.html# Warning: There are a couple of minor mistakes on this page - but you should be able to figure it out. This mentions "OCSPSigning" (without the space - dont try that in the .cnf file!) but it wont tell you how to make the ocsp cert. Last is the CA doc: http://www.openssl.org/docs/apps/ca.html# PS. I use this OCSP very successfully for testing purposes . It is very lightweight and works so it is worth the effort! You can certainly learn a lot about OCSP responder from using this one. Regards, Simon McMahon "Sowjanya Malika" <[EMAIL PROTECTED]> 12/06/2006 10:21 PM To Simon McMahon/Australia/Contr/[EMAIL PROTECTED] cc Subject ocsp responder certificate generation documentation( reg) Hi, I have gone through your mail regarding "ocsp responder certificate generation documentation". I just wanted to know abt OCSP and I would like to have the document. Is it confidential? If not please send me. thanks in advance, Sowjanya ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
