matteo mattau escribió:
Dears,
I'm in trouble with self signed certificate, when I try to verify via
ocsp a certificate whose issuer is self signed.
The error I receive is always
openssl ocsp -issuer /usr/local/ssl/cert/issuerPEM.crt -cert
./certificatePEM.cer -url http://ocsp.foo.com -CApath /usr/local/ssl/cert
Response Verify Failure
1903:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
error:ocsp_vfy.c:122:Verify error:self signed certificate in
certificate chain
Into /usr/local/ssl/cert I've copied the issuer certificate and
created the "ln -s" hash link.
Is that anyway to trust the "self signed" certificate? If I load the
issuer certificate into IE browser,
It appeares as root...
Thanks in advance
Mattew
------------------------------------------------------------------------
I'm not an expert but openssl builds the certificate chain to verify it,
it uses subject DN (i think) field to link the certificates. If you put
a self-signed in the middle of the chain, it will be broken because
openssl won't find the next certificate. If really your issuer has a
self-signed certificate and there is another ca above with another
self-signed certificate, my only idea would be to try with another ocsp
options when you type the command but it sounds strange, because means
that there is one certificate into the chain which shouldn't be verified
and this contradicts PKI ideas.
In theory, the self-signed certificate must be with -CAfile option and
the issuer, which is just an intermediate CA with a NOT self-signed
certificate, with -issuer option. I've used ocsp command several times
and -CApath was not necessary, also linking with "ln" command. Just
cert, issuer, url and ca.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
