Hi Dan, On 10.12.2015 16:27, daniel bryan wrote:
and also that it is not good -> unknown, revoked and good are the 3 values ...*TEST #2: *Next test was using OCSP:[dan@canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem -VAfile VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer -cert CERTS/0x500c8bd-revoked.pem -url http://ocspresponder:8080/Response verify OK CERTS/0x500c8bd-revoked.pem: *unknown* This Update: Dec 9 20:48:26 2015 GMT/ as you can see the client *was NOT *informed the certificate was revoked.
does the OCSP responder cert be the signing cert itself or was it signed by the same signing cert that signed the cert you want to validate?We are using a 3rd party vendors OCSP service, and I am of the opinion that an OCSP service should provide a revoked response regardless of the time validity of the CRL.
or specific to your sample: did CAS/IC\ ABC\ CA3\ DEV.cer sign both CERTS/0x500c8bd-revoked.pem and the OCSP responder cert (VAS/def_ocsp.pem)?
Walter
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
