Hello! I'm encountering some trouble with the OpenCA OCSP responder. I set up the ocspd.conf to work with my CA and to read directly the CRL. I ran openca-ocsp and everything seemed to be ok. When I tried to verify a certificate with the ocspclient from the university in torino, I got a working response. I then also tried with the OpenSSL OCSP client and I also get a workin response from my OCSPd. But when I want to verify a certificate with Mozilla (Windows, 1.7.3) I always get the message:
"Could not very the certificate for unknown reasons" Looking at the logs on the server, it says that there was a request, but I know nothing about the response nor any errors. I was looking then a bit more on the internet and I found out that the certificate to use for the OCSP responder must have enabled OCSPSigning in the ExtendedKeyUsage. This I set-up (I added a new role to OpenCA ;-)) and retried. Everything stayed the same. I then set up the OpenSSL's OCSP responder (using the same certificate and key for the OCSP responder) which automagically worked with Mozilla. So, I tried to compare the differences in the working of the two. I did some manual requesting and found out that there was only one significant difference. The difference is, in the value of the "Responder Id" field (this value is seen when the response is being printed out as text, using the OpenSSL client). Querying openca-ocspd I get this: Responder Id: 1AAF67934FC655156614EB52541170C8F342EFFB Querying the OpenSSL's OCSP server I get this: Responder Id: C = SI, O = SOME_ORG, OU = ORG_UNIT, CN = OCSP Responder The difference is obvius and there is no need to say, that they should be equal ;-) So, the question is, is this meant to be so, is this a bug, or is this (supposingly) not significant at all? Maybe it is only Mozilla being a bit touchy about this, ah? And I have also another question. I noticed that the index.txt is not really transferred from the offline to the online part of the hierarchy. Is this meant to be so or is this a "bug"? I also wonder how to make the transfer of the file OCSPindex.txt working? I will definitely need this working if choosing some other OCSP responder, since they mostly use index.txt files, instead of CRL files. I'd appreciate any kind of help or hints. Thanks, Janez ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
