Hi, Well I finally worked out what I wanted to do so I thought I'd share it with anyone out there who might be trying the same thing themselves.
The tie in between the certificate whose status I am seeking an ocsp response for and the <index file> supplied as a parameter to the ocsp command is the serial number of the certificate - as simple as that. The fourth column in the <index file> contains the serial number of certificates issues by a a particular CA. The first column (V(erified(, E(xpired) and R(evoked)) represents the status of that certificate. So I can now generate OCSP responses, with a status I choose, for any certificate which I choose. I notice however that if I set the Status column to be R(evoked) I get a staus of unknown rather than revoked. Does anyone have any observations on this ? Thanks to Ted fo his input on this query. Nick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fitzsimons, Nick Sent: Tuesday, August 01, 2006 11:22 AM To: openssl-users@openssl.org Subject: RE: ca format of index.txt. file Hi Ted, Thanks for your reply. I see you are busy replying to several different request helps. :-) I am glad to hear that the reason I can't find the documentation is there isn't any. Your reply helps significantly. I hope you can bear with me for a follow up question. I use the following to generate an ocsp request for a cert : ocsp -issuer <cacert.pem> -cert <cert.pem> -reqout <req.der> I am then seeking to use the following to generate on OCSP response to the request I have just generated : ocsp -index <index file> -rsigner <respondercert.pem> -rkey <responderkey.pem> -CA <CACert.pem> -reqin <req.der> -respout <resp.der> -Cafile <certchain.pem> My understanding is that the contents of <index file> are use to check the status of the cert which is detailed in <req.der>. However no matter how I try to configure <index file> I always get a status "Cert Status: unknown" Given that the certificate whose status I am trying to ascertain has a Subject of : Subject: CN=Rick, O=Rick <RI>, L=Hamburg>, C=DE what would I put in the <index file> to enable the ocsp command to find this certificate and return a status which I could set up in this <index file> ? As a first pass I have tried the following V 090705233205Z 041009233205Z 01 certs/00000001 /CN=Rick V 090705233205Z 041009233205Z 02 unknown /CN=Rick/O=Rick <RI>/L=Hamburg/C=DE in the hope that ocsp would see the V for othe cert identified and return a status of valid. Thanks in advance if you can find the tiem to help. Nick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich Sent: Tuesday, August 01, 2006 11:01 AM To: openssl-users@openssl.org Subject: Re: ca format of index.txt. file Fitzsimons, Nick wrote: > Hello All, > Does anyone know where there is a definition of the > format of the contents of the index.txt file used with the ocsp and ca > commands ? (This file contains info on the revocation status of > certificates). > > Thanks, > > Nick First of all the format of index.txt is undocumented. Probably because it might change sometime. Or it was a fast hack to get the demo application running. Or something like that. Having said this, it currently (openssl 0.9.8b) is a text database where a tab separates the columns and newline separates the rows. The columns are defined as #define DB_type 0 /* Status of the certificate */ #define DB_exp_date 1 /* Expiry date */ #define DB_rev_date 2 /* Revocation date */ #define DB_serial 3 /* Serial No., index - unique */ #define DB_file 4 #define DB_name 5 /* DN, index - unique when active and not disabled */ DB_type is defined as #define DB_TYPE_REV 'R' /* Revoked */ #define DB_TYPE_EXP 'E' /* Expired */ #define DB_TYPE_VAL 'V' /* Valid */ 'E' is currently not used by "openssl ca", I guess because it is redundant to DB_exp_date. So expired certificates still have status 'V' DB_file currently is always 'unknown' and not used by "openssl ca". I guess the original idea was to store the filename of the generated certificate file here. The dates are in ASN1_UTCTIME-format. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
