Hello.
I could connect to OpenSSL OCSP responder only by IPv6. But I have another
error:
3908:error:2706A067:OCSP routines:OCSP_CHECK_DELEGATED:missing ocspsigning
usage:.\crypto\ocsp\ocsp_vfy.c:350:
3908:error:27069070:OCSP routines:OCSP_basic_verify:root ca not
trusted:.\crypto\ocsp\ocsp_vfy.c:148:
I made and adjusted the simple test Certification Authority.
I have a root CA and three certs issued and certainly signed by the root CA: 01.crt, 02.crt, 03.crt. Now I want to test
OpenSSL OCSP responder. I will test 01.crt for the revocation status and use 03.crt cert as the OCSP responder's
certificate. I added OCSPSigning extended key usage to the 03.crt:
openssl x509 -in 03.crt -inform PEM -addtrust OCSPSigning -out
ocsp_resp_cert.pem
I start OpenSSL OCSP responder:
openssl ocsp -index index.txt -port 7777 -rkey cert3_pkey.pem -rsigner
ocsp_resp_cert.pem -CA cacert.crt -text
After that I try to verify 01.crt via OCSP and I get the above error.
If I would use the root CA as the OCSP responder's cert all is ok: OCSP_basic_verify not failed and I get OCSP status
"GOOD".
I see docs on openssl.org: ocsp(1) section OCSP "Response verification":
1) "Otherwise the issuing CA certificate in the request is compared to the OCSP responder certificate: if there is a
match then the OCSP verify succeeds."
This rule works. This case is when certificate of the OCSP responder is a root
CA.
2) "Otherwise the OCSP responder certificate's CA is checked against the issuing CA certificate in the request. If there
is a match and the OCSPSigning extended key usage is present in the OCSP responder certificate then the OCSP verify
succeeds.
This rule doesn't work or I don't understand it or I made something wrong.
Please, say what am I do wrong?
Regards,
Vladimir.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
