Hi Julien,first I'm not a OCSP guru. I only know X.509 and all my statements follow simple X.509 logic.
Julien VEHENT wrote:
My problem is that the daemon returns me an error when it received a request: [EMAIL PROTECTED]:~/Stage$ openssl ocsp -issuer ca.crt -CAfile ca.crt -cert webmail-signed-cert.pem -url http://ocsp.microgate.fr:80[1] -text
...
Response Extensions: OCSP Nonce: 0410C244CB64A059EBBA2488D2B94F5FCF58 Response Verify Failure 11565:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:85:
So this means you are missing a certificate which you need to verify the OCSP response.
authority:/# ocspd -d -v -c /var/certificats/ocspd/ocspd.conf
May 25 17:47:29 authority ocspd[30427]: variable lookup failed for ocsp_response::ocsp_add_response_certs
This means that the option ocsp_add_response_certs is not present in your OCSP configuration. If you add the signer's certificate to this option then perhaps it is known to the OCSP client if there is trust for the CA.
Michael -- _______________________________________________________________ Michael Bell Humboldt-Universitaet zu Berlin Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin _______________________________________________________________
smime.p7s
Description: S/MIME Cryptographic Signature
