More data: if I use the serial num to query the OCSP responder, it returns "Cert Status: good",
openssl ocsp -issuer /etc/pki/tls/certs/CC0002.pem -url http://ocsp.auc.cartaodecidadao.pt/publico/ocsp -CAfile /etc/pki/tls/certs/ca-bundle.crt -resp_text -serial 0x5FD933E0F2F95D0F and what Iam seeing is that the "issuer Name Hash" and the "Issuer Key Hash" returned (1) are not the same from when I use (2) openssl ocsp -issuer /etc/pki/tls/certs/CC0001.pem -cert /home/oracle/lneves.pem -url http://ocsp.root.cartaodecidadao.pt/publico/ocsp -CAfile /etc/pki/tls/certs/ca-bundle.crt -resp_text (1) Issuer Name Hash: EFD0CBADF429378902B20327328DDA76D321409D Issuer Key Hash: 4D6CA033280F38F8B1672919E624A480A9E5519E Serial Number: 5FD933E0F2F95D0F (2) Issuer Name Hash: DBEC6F566C3A0F268B8F674E01108687193EE1F7 Issuer Key Hash: A826EAD8E525299306CFF41F3178DF9D10888161 Serial Number: 5FD933E0F2F95D0F ????? what a hell?? Please dont tell me that the openssl BUG on the conversion of UTF8 characters on the issuer name is making this effect..... I am reading on the RFC that the hash is computed on the DER encoding of the cert, so i think the utf8 shouldn have anything related to this hash computation, right? If this is the cause, I have to quit trying to use Linux for this and search for some MS Windows solution.... OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: CN = Servi\C3\A7o de Valida\C3\A7\C3\A3o on-line do Cart\C3\A3o de Cidad\C3\A3o 000034 - EC de Autentica\C3\A7\C3\A3o do Cidad\C3\A3o, OU = Valida\C3\A7\C3\A3o on-line, OU = Servi\C3\A7os do Cart\C3\A3o de Cidad\C3\A3o, O = Cart\C3\A3o de Cidad\C3\A3o, C = PT Produced At: Jul 15 14:56:42 2010 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: EFD0CBADF429378902B20327328DDA76D321409D Issuer Key Hash: 4D6CA033280F38F8B1672919E624A480A9E5519E Serial Number: 5FD933E0F2F95D0F Cert Status: good This Update: Jul 15 14:56:42 2010 GMT Response Extensions: OCSP Nonce: 0410B32E193742C48C57C927C1F062AB06A5 > Date: Thu, 15 Jul 2010 14:27:55 +0200 > From: st...@openssl.org > To: openssl-users@openssl.org > Subject: Re: OCSP_basic_verify:certificate verify error (Verify > error:unable to get local issuer certificate) ERROR > > On Thu, Jul 15, 2010, Luis Neves wrote: > > > > > openssl ocsp -issuer /etc/pki/tls/certs/CC0001.pem -cert > > /home/oracle/lneves.pem -url > > http://ocsp.root.cartaodecidadao.pt/publico/ocsp -CAfile > > /etc/pki/tls/certs/ca-bundle.crt -resp_text > > > > gives this response: > > > > > > OCSP Response Data: > > OCSP Response Status: successful (0x0) > > Response Type: Basic OCSP Response > > Version: 1 (0x0) > > Responder Id: CN = Servi\C3\A7o de Valida\C3\A7\C3\A3o on-line do > > Cart\C3\A3o de Cidad\C3\A3o 000047 - EC do Cart\C3\A3o de Cidad\C3\A3o, OU > > = Valida\C3\A7\C3\A3o on-line, OU = Servi\C3\A7os do Cart\C3\A3o de > > Cidad\C3\A3o, O = Cart\C3\A3o de Cidad\C3\A3o, C = PT > > Produced At: Jul 15 11:16:16 2010 GMT > > Responses: > > Certificate ID: > > Hash Algorithm: sha1 > > Issuer Name Hash: DBEC6F566C3A0F268B8F674E01108687193EE1F7 > > Issuer Key Hash: A826EAD8E525299306CFF41F3178DF9D10888161 > > Serial Number: 5FD933E0F2F95D0F > > Cert Status: unknown > > This Update: Jul 15 11:16:16 2010 GMT > > > > Response Extensions: > > OCSP Nonce: > > 0410852B85B13D0A829393EC5C40B6ECA394 > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: > > 25:88:12:44:e0:c2:bc:20 > > Signature Algorithm: sha1WithRSAEncryption > > Issuer: CN=Cart\xC3\xA3o de Cidad\xC3\xA3o 001, OU=ECEstado, O=SCEE > > - Sistema de Certifica\xC3\xA7\xC3\xA3o Electr\xC3\xB3nica do Estado, C=PT > > Validity > > Not Before: Jun 23 10:48:55 2010 GMT > > Not After : Sep 5 10:58:55 2015 GMT > > Subject: CN=Servi\xC3\xA7o de Valida\xC3\xA7\xC3\xA3o on-line do > > Cart\xC3\xA3o de Cidad\xC3\xA3o 000047 - EC do Cart\xC3\xA3o de > > Cidad\xC3\xA3o, OU=Valida\xC3\xA7\xC3\xA3o on-line, OU=Servi\xC3\xA7os do > > Cart\xC3\xA3o de Cidad\xC3\xA3o, O=Cart\xC3\xA3o de Cidad\xC3\xA3o, C=PT > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > RSA Public Key: (2048 bit) > > Modulus (2048 bit): > > 00:c0:ef:d7:c3:95:5f:06:4e:c4:31:a6:fc:9f:69: > > etc etc etc etc > > > > FKncpOkxGDlMylusw7Hy8FZDxY95qfrxMZuQn7nYERmimxi5QxFTzvbcaCzrGgV+ > > 9V7WHubhBRmAuRHzfkzHEZZyYgbN8GqquQwArnd/z3u8H374eTPB3n83Ro0VVtJX > > 6NdS44Fuqay4Y5TE7M4JNPSjDBHdgSjQKkR0tbsBlgRp6tlyzWPjWkrz+W7nNQqD > > ULAhdGachVHwRzo8E3Bw675hQENCaCyy/AsM8X+ej6NpgIJBuC+UqL1qn3IB/nCX > > mMfDBtCSwU+z5Zbkbcwl8sh946GkCdNQ > > -----END CERTIFICATE----- > > Response Verify Failure > > 3537:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify > > error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate > > /home/oracle/lneves.pem: unknown > > This Update: Jul 15 11:16:16 2010 GMT > > > > > > > > the "Cert Status: unknown" status is due to the "unable to get local issuer > > certificate" error??? > > > > help me....... > > > > No, cert status "unknown" is exactly what the responder returned: it doesn't > know the status of that certificate. Perhaps that certificate isn't covered by > that responder? > > The unable to get local issuer certificate is a separate error, try including > the root CA with the -CAfile command. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org _________________________________________________________________ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
