Bonjour,
Answers inline.
--
Erwann ABALEA
Le 14/08/2012 19:03, adrien pisarz a écrit :
Hi,
I have several questions about the ocsp functionnality. I read many
articles before asking those questions and unfortunetaly I still don't
have the answers. Maybe you can help me.
Fist of all, here is my ocsp configuration :
openssl ocsp -index index_prod.txt -CAfile OpCA.pem -rsigner ocsp.crt
-rkey ocsp.key -port 3456 -text -out /home/userocsp/ocsp_responder.log
The file index is populated by a self-made script,
the ocsp.crt (resp. key) is a certificate (resp. key) which contains
the ocsp signature extensions
the OpCA.pem contains the subAC certificate
Here are my questions :
1. Why the ocsp client work only if the -VAFile is set and otherwise I
got a signature error ? Is there a way to solve this issue ?
Maybe because the responder is not one of:
- the CA that signed the certificate you're requesting the status on
- a designated responder directly signed by the CA that signed the
certificate you're requesting the status on
Reread RFC2560. If you're instanciating the third possible responder
type (trusted responder whose public key is trusted by the requester),
then you obviously need to inform the client/requester. You didn't
provide elements on who signed who, so that's just a guess.
2. If I wan manage several subAC should I open a port foreach subCA ?
With the command-line tool, yes. If you need to have more CAs, then you
could probably try something more suited than the command-line tools.
The command-line tool also doesn't respond to GET requests, only POST ones.
3. Why the ocsp responder requires that all the certificates (even the
valide's one) must be present in the index.txt in order to provide a
correct answer ? I was expected that openssl will check the
certificate signature and if the serial is not present in the
index.txt, it will answer good and not unknow.
Design choice. You're giving the responder a database, so it supposed to
know *all* the certificates.
OCSP can be based on CRLs (black-list), but that's not implemented by
the tool. If that's what you want, you'll have to write your own.
4. As said, the openssl responder is working but a IHS server is not
abble to validate his answer and I got those errors :
[...]
Does anyone know how to configure an IHS with an openssl ocsp responder ?
You may ask your provider for this, not OpenSSL.
