Hello, Iam using the -CAfile /etc/pki/tls/certs/ca-bundle.crt, and the CA certificate is appended to this list, shouldnt this work ok?
the OCSP responder comes from the lneves.pem certificate itself, so it must be ok, I presume Luis > Date: Thu, 15 Jul 2010 14:27:55 +0200 > From: st...@openssl.org > To: openssl-users@openssl.org > Subject: Re: OCSP_basic_verify:certificate verify error (Verify > error:unable to get local issuer certificate) ERROR > > On Thu, Jul 15, 2010, Luis Neves wrote: > > > > > openssl ocsp -issuer /etc/pki/tls/certs/CC0001.pem -cert > > /home/oracle/lneves.pem -url > > http://ocsp.root.cartaodecidadao.pt/publico/ocsp -CAfile > > /etc/pki/tls/certs/ca-bundle.crt -resp_text > > > > gives this response: > > > > > > OCSP Response Data: > > OCSP Response Status: successful (0x0) > > Response Type: Basic OCSP Response > > Version: 1 (0x0) > > Responder Id: CN = Servi\C3\A7o de Valida\C3\A7\C3\A3o on-line do > > Cart\C3\A3o de Cidad\C3\A3o 000047 - EC do Cart\C3\A3o de Cidad\C3\A3o, OU > > = Valida\C3\A7\C3\A3o on-line, OU = Servi\C3\A7os do Cart\C3\A3o de > > Cidad\C3\A3o, O = Cart\C3\A3o de Cidad\C3\A3o, C = PT > > Produced At: Jul 15 11:16:16 2010 GMT > > Responses: > > Certificate ID: > > Hash Algorithm: sha1 > > Issuer Name Hash: DBEC6F566C3A0F268B8F674E01108687193EE1F7 > > Issuer Key Hash: A826EAD8E525299306CFF41F3178DF9D10888161 > > Serial Number: 5FD933E0F2F95D0F > > Cert Status: unknown > > This Update: Jul 15 11:16:16 2010 GMT > > > > Response Extensions: > > OCSP Nonce: > > 0410852B85B13D0A829393EC5C40B6ECA394 > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: > > 25:88:12:44:e0:c2:bc:20 > > Signature Algorithm: sha1WithRSAEncryption > > Issuer: CN=Cart\xC3\xA3o de Cidad\xC3\xA3o 001, OU=ECEstado, O=SCEE > > - Sistema de Certifica\xC3\xA7\xC3\xA3o Electr\xC3\xB3nica do Estado, C=PT > > Validity > > Not Before: Jun 23 10:48:55 2010 GMT > > Not After : Sep 5 10:58:55 2015 GMT > > Subject: CN=Servi\xC3\xA7o de Valida\xC3\xA7\xC3\xA3o on-line do > > Cart\xC3\xA3o de Cidad\xC3\xA3o 000047 - EC do Cart\xC3\xA3o de > > Cidad\xC3\xA3o, OU=Valida\xC3\xA7\xC3\xA3o on-line, OU=Servi\xC3\xA7os do > > Cart\xC3\xA3o de Cidad\xC3\xA3o, O=Cart\xC3\xA3o de Cidad\xC3\xA3o, C=PT > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > RSA Public Key: (2048 bit) > > Modulus (2048 bit): > > 00:c0:ef:d7:c3:95:5f:06:4e:c4:31:a6:fc:9f:69: > > etc etc etc etc > > > > FKncpOkxGDlMylusw7Hy8FZDxY95qfrxMZuQn7nYERmimxi5QxFTzvbcaCzrGgV+ > > 9V7WHubhBRmAuRHzfkzHEZZyYgbN8GqquQwArnd/z3u8H374eTPB3n83Ro0VVtJX > > 6NdS44Fuqay4Y5TE7M4JNPSjDBHdgSjQKkR0tbsBlgRp6tlyzWPjWkrz+W7nNQqD > > ULAhdGachVHwRzo8E3Bw675hQENCaCyy/AsM8X+ej6NpgIJBuC+UqL1qn3IB/nCX > > mMfDBtCSwU+z5Zbkbcwl8sh946GkCdNQ > > -----END CERTIFICATE----- > > Response Verify Failure > > 3537:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify > > error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate > > /home/oracle/lneves.pem: unknown > > This Update: Jul 15 11:16:16 2010 GMT > > > > > > > > the "Cert Status: unknown" status is due to the "unable to get local issuer > > certificate" error??? > > > > help me....... > > > > No, cert status "unknown" is exactly what the responder returned: it doesn't > know the status of that certificate. Perhaps that certificate isn't covered by > that responder? > > The unable to get local issuer certificate is a separate error, try including > the root CA with the -CAfile command. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
