Hello,
I'm trying to use OpenCA OCSC responder.
I've got 5 CA, they are organised like this :
- ac-racine (root)
|
|---------------------ac-serveur (CA for server certificates)
|
|---------------------ac-utilisateur (CA for user certificates)
|
|---------------------ac-utilisateur-plus (another CA for user
certificates)
- ac-test (another root CA that delivers certificates for users)
I'd like the responder to request a ldap directory.
Thank Massimiliano I succeeded in starting the responder and I've got
logs in /var/log/daemonlog .
I got different problems. The first is (using openssl ocsp) this error
message :
#openssl ocsp -issuer ac-utilisateur.crt -cert carpier.crt -url
http://spare-pki.cru.fr:2560/ -resp_text -CAfile ac-bundle.crt
(carpier.crt is a revoked certificate of CA ac-utilisateur and
ac-bundle.crt contains all CA)
6504:error:27069070:OCSP routines:OCSP_basic_verify:root ca not
trusted:ocsp_vfy.c
In the ac-bundle.crt, i've got all my CA's.
The certificate for the responder contains the OCSPsigning
extendedKeyUsage and is signed by ac-serveur.
I created a file named chain_certs.pem which contain ac-racine and
ac-serveur certs (the issuer chain for the ocsp certificate).
When the server is starting, it gives this message
May 31 15:15:42 spare-pki ocspd[2843]: variable lookup failed for
ldap_ac_serveur::ca_url
May 31 15:15:42 spare-pki ocspd[2843]: variable lookup failed for
ldap_ac_utilisateur::ca_url
May 31 15:15:42 spare-pki ocspd[2843]: variable lookup failed for
ldap_ac_utilisateur_plus::ca_url
May 31 15:15:42 spare-pki ocspd[2843]: variable lookup failed for
ldap_ac_test::ca_url
May 31 15:15:42 spare-pki ocspd[2843]: variable lookup failed for
ldap_ac_racine::ca_url
So i tried to use these variables and put the certificates in files but
it doesn't work more (there is no more this message in log file but
ocsp response is the same).
I verified all rights on all files. All files belong to ocspd.daemon.
Have you got any idea to solve this problem?
Here is my configuration (Fedora Core 3):
[ ocspd ]
default_ocspd = OCSPD_default # The default ocspd section
####################################################################
[ OCSPD_default ]
dir = //etc/ocspd # Where everything is kept
db = $dir/index.txt # database index file.
md = sha1
ca_certificate = $dir/certs/ac-racine.pem # The CA certificate
ocspd_certificate = $dir/certs/server.crt # The OCSP server cert
ocspd_key = $dir/private/server.key # The OCSP server key
pidfile = $dir/ocspd.pid # Main process pid
user = ocspd
group = daemon
bind = *
port = 2560
max_req_size = 8192
max_childs_num = 5
crl_auto_reload = 3600
crl_check_validity = 600
crl_reload_expired = yes
response = ocsp_response
dbms = dbms_ldap
####################################################################
[ ocsp_response ]
dir = //etc/ocspd
ocsp_add_response_certs = $dir/certs/chain_certs.pem
ocsp_add_response_keyid = yes
next_update_days = 0
next_update_mins = 5
####################################################################
[ dbms_ldap ]
0.ca = @ldap_ac_serveur
1.ca = @ldap_ac_utilisateur
2.ca = @ldap_ac_utilisateur_plus
3.ca = @ldap_ac_test
4.ca = @ldap_ac_racine
[ ldap_ac_serveur ]
crl_url = ldap://localhost:389
crl_entry_dn = "ou=ac-serveur, o=pki"
crl_entry_attribute = "certificateRevocationList;binary"
ca_entry_dn = "ou=ac-serveur, o=pki"
[ ldap_ac_utilisateur ]
crl_url = ldap://localhost:389
crl_entry_dn = "ou=ac-utilisateur, o=pki"
crl_entry_attribute = "certificateRevocationList;binary"
ca_entry_dn = "ou=ac-utilisateur, o=pki"
[ ldap_ac_utilisateur_plus ]
crl_url = ldap://localhost:389
crl_entry_dn = "ou=ac-utilisateur-plus, o=pki"
crl_entry_attribute = "certificateRevocationList;binary"
ca_entry_dn = "ou=ac-utilisateur-plus, o=pki"
[ ldap_ac_test ]
crl_url = ldap://localhost:389
crl_entry_dn = "ou=ac-test, o=pki"
crl_entry_attribute = "certificateRevocationList;binary"
ca_entry_dn = "ou=ac-test, o=pki"
[ ldap_ac_racine ]
crl_url = ldap://ra.cru.fr:389
crl_entry_dn = "ou=ac-racine, o=pki"
crl_entry_attribute = "certificateRevocationList;binary"
ca_entry_dn = "ou=ac-racine, o=pki"
--
Dominique Launay
Comité Réseau des Universités
http://www.cru.fr
-------------------------------------------
Validation signature / Trusting signature: --> http://igc.cru.fr/trust.html
-------------------------------------------
|
smime.p7s
Description: S/MIME Cryptographic Signature
