On Tue, Jan 14, 2014, socket wrote: > Hey all, I am wondering if anyone here could point me in the right direction > or even assist with a problem I have having. > > According to RFC 2560: > > All definitive response messages SHALL be digitally signed. The key > used to sign the response MUST belong to one of the following: > > -- the CA who issued the certificate in question > * -- a Trusted Responder whose public key is trusted by the requester* > -- a CA Designated Responder (Authorized Responder) who holds a > specially marked certificate issued directly by the CA, indicating > that the responder may issue OCSP responses for that CA > > I have Root CA1(RCA1), and Root Ca2(RCA2). also, I have Intermediate > Authority 1(IA1) and Intermediate Authority 2 (IA2). I have an OCSP signing > certificate issued from IA1 (ocsp1). > I have apache 2.4 configured with trust for rca1, rca2, ia1, ia2 and I am > able to use client authentication to login with either client cert 1(cc1), > or Clicnet Cert 2(cc2). > > However, when I enable OCSP it acts differently: > SSLVerifyClient on > SSLVerifyDepth 4 > SSLOCSPEnable on > SSLOCSPDefaultResponder http://rsp.domain.com:80/ > SSLOCSPOverrideResponder on > > I am able to successfully validate cc1 and any other client certificates > issued from ia1. However, when I try to use cc2, I get the following error: > *SSL Library Error: error:27069070:OCSP routines:OCSP_basic_verify:root ca > not trusted* >
It isn't entirely clear which certificate belongs to which chain and what the chains are. I'd say from your description that one client certificate supports the OCSP delegated model directly and doesn't need explicit trust while the other does not. It should be possible to add explicit trust to the root CA. See the ocsp manual page for OpenSSL for details. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
