Thanks Massimiliano ,
I tried out the Role creation and it went thru fine and I could generate a OCSP Signer
certificate.
Unfortunately, even after using the generated OCSP signer certificate, I am still
getting the response as follows :
-------------------------------------
Response Verify Failure
16552:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate
03: good
This Update: Jun 16 09:13:06 2002 GMT
Next Update: Jun 16 09:18:06 2002 GMT
---------------------------------------
As you previously pointed out it appears that the 'openssl' command did not succeed to
build the full chain of certs to verify it. The CA Certificate is a self-signed (thru
OpenCA) certificate. OCSP certificate is signed by this CA Certificate using the new
role/ext file. Can you advise what "chain" should I use in the ocspd.conf ? When I
tried changing to $opencaprefix/OpenCA/var/crypto/chain/cacert.pem , the following was
the message :
Response Verify Failure
17015:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
error:ocsp_vfy.c:122:Verify error:self signed certificate in certificate chain
Thanks
Pramila
Below is the OCSP Certificate that was generated :
-------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13 (0xd)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AE, O=ComtOCA, OU=OCA,
[EMAIL PROTECTED]
Validity
Not Before: Jun 16 09:55:43 2002 GMT
Not After : Jun 16 09:55:43 2003 GMT
Subject: C=AE, O=ComtOCA, OU=Internet, CN=OCSPResponder/serialNumber=0D
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c0:82:34:e9:e7:8f:2d:54:52:ce:b3:8d:89:63:
....
....
....
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OCSP Signer for ComtrustOCA
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Subject Key Identifier:
F4:D8:C5:CC:1E:5A:C6:3B:C4:1E:8A:B8:BE:7C:C5:1F:25:3E:BD:15
X509v3 Authority Key Identifier:
keyid:E8:72:9D:C9:4E:61:DF:60:D6:14:15:CD:CD:9E:B8:D5:2A:7E:B1:43
DirName:[EMAIL PROTECTED]
serial:00
X509v3 Subject Alternative Name:
email:[EMAIL PROTECTED]
X509v3 Issuer Alternative Name:
email:[EMAIL PROTECTED]
....
....
....
------------------------------------------------------------------------------------
_______________________________________________________________
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
