Thanks for all the help. It turns out the CA cert had to be reinstalled. I had loaded a PKCS12 cert that included the certificate chain. When I checked the "Authorities", the CA was there, so it was loaded when I loaded the PKCS12 user cert. I deleted the CA then inported it again. When I imported it, I made sure the check box "Trust this CA to identify web sites" was checked.
Now when I establish the connection, I no longer see the warning. As well, firefox is sending out the OCSP request and is getting the OCSP response. Thanks, Bruce On 11/2/07, Eddy Nigg (StartCom Ltd.) <[EMAIL PROTECTED]> wrote: > > Now I don't know much more, except as Nelson already mentioned that the CA > root might not be installed in the browser. If the problem persist, an > actual certificate and domain responder location etc is needed in order to > get a better picture. > > Bruce Keats wrote: > > OK. > > There is nothing special about any of the S/W I am using. I am running > fedora core 7 with all the latest updates from the Fedora Project. > > The OCSP responder is the openca-ocspd. > > The certificates are pretty basic. They have SKID, AKID, AIA, CKU and EKU. > The EKU is for a TLS Server. > > Anything else? > > As I mentioned, I don't see any requests from firefox. > > Bruce > > > On 11/1/07, Eddy Nigg (StartCom Ltd.) <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> > wrote: > > > I can try to help you if you can provide some more details about the > software you are using, examination of the certificate itself etc.You can > send me mail also off-list if you feel more comfortable... > > -- > Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org/> > <http://www.startcom.org/> > Jabber: [EMAIL PROTECTED] Blog: Join the > Revolution!<http://blog.startcom.org/> <http://blog.startcom.org/> > Phone: +1.213.341.0390 > > Bruce Keats wrote: > > Hi, > > I am having problems getting firefox 2.0.0.8 to send requests to the OCSP > responder listed in the Authority Info Access (AIA) extenstion within the > certificates. I am sure it is something fairly simple. > > On Firefox, I have enabled OCSP under "Edit"->"Preferences", the "Advanced" > tab, "Encryption" tab, "Verification" window. I selected the radio button > "Use OCSP to validate only certificates that specify an OCSP service URL". > > I have an HTTPS server that is sending a certificate that has the AIA > extension. When I try and setup the connection, I get the usual certificate > warnings and if I examine the server's certificate, I see it does have the > AIA extension. The AIA lists three OCSP responders: > Not Critical > OCSP: URI: http://server1:9000 > OCSP: URI: http://server2:9000 > OCSP: URI: http://server3:9000 > > When I check the OCSP responder, I don't see any logs indicating it received > an OCSP request from the host that I am running firefox on. > > I know the OCSP responder is working because it responds to requests from > the same host using openssl ocsp from the command line. The openssl ocsp > command is: > openssl ocsp -issuer /tmp/cacert.pem -cert /tmp/cert.pem -text -CAfile > /tmp/cacert.pem -url http://server1:9000 > > I have been trying different things over the past couple of days without > much success. I did some google searches without finding much. I had a > quick look at the source code and it looks like OCSP support is there. > > Any ideas why this isn't working for me? Any suggestions of things to try > because I am out of ideas? > > Bruce > > > > > > > _______________________________________________ > dev-tech-crypto mailing [EMAIL > PROTECTED]://lists.mozilla.org/listinfo/dev-tech-crypto > > > -- > Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org/> > Jabber: [EMAIL PROTECTED] Blog: Join the > Revolution!<http://blog.startcom.org/> > Phone: +1.213.341.0390 > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
