On Thu, Jul 15, 2010, Luis Neves wrote: > > openssl ocsp -issuer /etc/pki/tls/certs/CC0001.pem -cert > /home/oracle/lneves.pem -url http://ocsp.root.cartaodecidadao.pt/publico/ocsp > -CAfile /etc/pki/tls/certs/ca-bundle.crt -resp_text > > gives this response: > > > OCSP Response Data: > OCSP Response Status: successful (0x0) > Response Type: Basic OCSP Response > Version: 1 (0x0) > Responder Id: CN = Servi\C3\A7o de Valida\C3\A7\C3\A3o on-line do > Cart\C3\A3o de Cidad\C3\A3o 000047 - EC do Cart\C3\A3o de Cidad\C3\A3o, OU = > Valida\C3\A7\C3\A3o on-line, OU = Servi\C3\A7os do Cart\C3\A3o de > Cidad\C3\A3o, O = Cart\C3\A3o de Cidad\C3\A3o, C = PT > Produced At: Jul 15 11:16:16 2010 GMT > Responses: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: DBEC6F566C3A0F268B8F674E01108687193EE1F7 > Issuer Key Hash: A826EAD8E525299306CFF41F3178DF9D10888161 > Serial Number: 5FD933E0F2F95D0F > Cert Status: unknown > This Update: Jul 15 11:16:16 2010 GMT > > Response Extensions: > OCSP Nonce: > 0410852B85B13D0A829393EC5C40B6ECA394 > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 25:88:12:44:e0:c2:bc:20 > Signature Algorithm: sha1WithRSAEncryption > Issuer: CN=Cart\xC3\xA3o de Cidad\xC3\xA3o 001, OU=ECEstado, O=SCEE - > Sistema de Certifica\xC3\xA7\xC3\xA3o Electr\xC3\xB3nica do Estado, C=PT > Validity > Not Before: Jun 23 10:48:55 2010 GMT > Not After : Sep 5 10:58:55 2015 GMT > Subject: CN=Servi\xC3\xA7o de Valida\xC3\xA7\xC3\xA3o on-line do > Cart\xC3\xA3o de Cidad\xC3\xA3o 000047 - EC do Cart\xC3\xA3o de > Cidad\xC3\xA3o, OU=Valida\xC3\xA7\xC3\xA3o on-line, OU=Servi\xC3\xA7os do > Cart\xC3\xA3o de Cidad\xC3\xA3o, O=Cart\xC3\xA3o de Cidad\xC3\xA3o, C=PT > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (2048 bit) > Modulus (2048 bit): > 00:c0:ef:d7:c3:95:5f:06:4e:c4:31:a6:fc:9f:69: > etc etc etc etc > > FKncpOkxGDlMylusw7Hy8FZDxY95qfrxMZuQn7nYERmimxi5QxFTzvbcaCzrGgV+ > 9V7WHubhBRmAuRHzfkzHEZZyYgbN8GqquQwArnd/z3u8H374eTPB3n83Ro0VVtJX > 6NdS44Fuqay4Y5TE7M4JNPSjDBHdgSjQKkR0tbsBlgRp6tlyzWPjWkrz+W7nNQqD > ULAhdGachVHwRzo8E3Bw675hQENCaCyy/AsM8X+ej6NpgIJBuC+UqL1qn3IB/nCX > mMfDBtCSwU+z5Zbkbcwl8sh946GkCdNQ > -----END CERTIFICATE----- > Response Verify Failure > 3537:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify > error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate > /home/oracle/lneves.pem: unknown > This Update: Jul 15 11:16:16 2010 GMT > > > > the "Cert Status: unknown" status is due to the "unable to get local issuer > certificate" error??? > > help me....... >
No, cert status "unknown" is exactly what the responder returned: it doesn't know the status of that certificate. Perhaps that certificate isn't covered by that responder? The unable to get local issuer certificate is a separate error, try including the root CA with the -CAfile command. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
