Error: unable to get local issuer certificate!!!

Thu, 11 Sep 2008 06:12:08 -0700 

Hi,

Mail is quite big with description. please read through and help me.

Below are the configuration and execution done for OCSP request and response.

*what is the reason for error?
* what is the solution for error?


Any reply is appreciated.
:)

I have provided even folder structure because, error related to "unable to get 
local issuer certificate". 
Folder structure: certifiacte/CACERT/demoCA

CLIENT: 
executed at certificate/

Root key generated: openssl genrsa -out rootkey.pem 1024

root self-signed certificate: openssl req   -x509 -nodes -days 365   -newkey 
rsa:1024 -keyout rootkey.pem -out rootcert.pem

request generated:  openssl req -nodes -days 365   -newkey rsa:1024 -keyout 
reqkey.pem -out reqreq.pem 

issuing: openssl x509 -days 365 -CA rootcert.pem -CAkey rootkey.pem -req 
-CAcreateserial -CAserial ca.srl -in reqreq.pem -out resolve.pem

 Request sent: openssl ocsp -issuer rootcert.pem -cert resolve.pem  -url 
http://xxx.xxx.xx.xxx:8888 -resp_text -respout resp.der

error:
Response Verify Failure
11114:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify 
error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate
resolve.pem: unknown
        This Update: Sep  8 16:38:27 2008 GMT
----------------------------------------------------------------------
RESPONDER:
Folder structure: certifiacte/CACERT/demoCA/private/firstkey.pem
                           certifiacte/CACERT/demoCA/certs
                            certifiacte/CACERT/demoCA/index.txt
                            certifiacte/CACERT/demoCA/cacert.pem

1. Created folder(CACERT) 
2. copied CA.pl from( /usr/lib/ssl/misc/CA.pl) into CACERT.
3. copied openssl.cnf from (/usr/lib/ssl/openssl.cnf ) into CACERT.

executed: ./CA.pl -newca (creates demoCA folder which consist index.txt 
file,cacert.pem file, private folder,certs folder,newcerts folder and etc..)

key generated at demoCA/private/:  openssl genrsa -out firstkey.pem 1024  

request generated /demoCA/certs/:  openssl req -new -key 
demoCA/private/firstkey.pem -out req1.pem

(renamed req1.pem as newreq.pem)
now execute->  ./CA.pl -sign (newcert.pem is created)

Responder:
 openssl ocsp -index demoCA/index.txt -port 8888 -rsigner newcert.pem -rkey 
demoCA/private/first.key -CA demoCA/cacert.pem -text -out log.txt


Advance Thanks & Regards,
Shivakumar Balur

Reply via email to