I am testing some simple scenarios for the OSCP server. I have to stop and start the Server to know I revoked a cert. Here is my scenario.
*I start the OSCP server* ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt -rkey ocspsign.key -CA ./demoCA/cacert.pem -text *I check a cert* openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url http://127.0.0.1:8082 -CAfile cacert.pem *and its GOOD* *Then from a terminal I revoke a certificate* openssl ca -revoke ./demoCA/newcerts/1009.pem Using configuration from /usr/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Revoking Certificate 1009. Data Base Updated *I check it again* openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK 0x1009: good This Update: Jul 18 16:13:02 2013 GMT *Not correct, it is revoked I looked at the index.txt. I stop and start the OSCP server again* *I check again* openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK 0x1009: revoked This Update: Jul 18 16:13:34 2013 GMT Revocation Time: Jul 18 16:12:18 2013 GMT *And results are expected REVOKED.* *So what is the best practice to get the OSCP server to update?* -- View this message in context: http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-tp45877.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
