Ahnjoan Amous wrote:
I'm attempting configuration of mod_nss to use an OCSP responder. My
OCSP responder uses a self signed certificate (call it OCSPcert) to
sign responses, my web server uses a certificate (call it SERVERcert)
signed by a trusted CA (call it CA1cert). I also have a second
trusted CA (call it CA2cert) that has issued my client certificates
(CLIENTcert).
I'm experiencing the following behavior
Certificate not verified: 'Server-Cert'
SSL Library Error: -8062 The signer of the OCSP response is not \
authorized to give status for this certificate
Unable to verify certificate 'Server-Cert'. Add \
"NSSEnforceValidCerts off" to nss.conf so the server can start \
until the problem can be resolved.
A packet capture shows that a sucessful OCSP attempt is made to verify \
the servers certificate. Then a second OCSP attempt is made to verify \
the first client certificate and once that fails never tries again.
The following show up in the apache error log for each user attempt to \
view a web page.
Bad remote server certificate: -8071
SSL Library Error: -8071 The OCSP server experienced an internal error
SSL Library Error: -8071 The OCSP server experienced an internal error
Any suggestions on how to fix this would be greatly appreciated.
1.Don't use a self-signed cert for your OCSP responder.
OCSP responses need to be signed by a trusted certificate. That
certificate can be trusted in the following ways:
1) The OCSP repsonse is signed by the CA that issued the certificate you
are validating.
2) The OCSP response is signed by a certificate that is used by the same
CA that issued the certificate you are validating with the appropriate
OCSP extension in the certificate.
3) The OCSP response is signed by a certificate issued by a central OCSP
service which you have explicitly selected.
#3 is fairly rare, and is usually used by certain services which sell
OCSP validation to corporations. In this case you also explicitly
configure your OCSP responder. I don't know how this can be configured
in mod_nss. There was a feature in the browser to configure this, I
don't know if it still works.
In general, you place an OCSP AIA extension in your certificate at
issuance time. You probably want separate responders for each CA
(otherwise your responder will have to have code to choose the correct
OCSP certificate to use based the the certificate you are giving the
response for). Sign your OCSP certificate with the CA which is issuing
certificates your responser is reporting on. Make sure that certificate
has the appropriate OCSP extensions.
bob
Thanks
Ahnjoan
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
