Thu 13 Oct 2005 à 11:55:41AM +0300, Dmitrij Mironov a écrit : > Thanks for help, Guillaume. > > Now OCSPD is working.
Good :-) > The problem was disapeared, when server was restarted :o). Well... Whatever. > Unfortenately, now I don't see "Successfully binded to %s", as Guillaume > mentioned, but this is not a problem, because OCSPD is responding to > requests. I have tested it on selfsigned certficate CA environment and > everything is went very well. Now I have problem with chained CA environment > - after submitting this command: > > openssl ocsp -issuer ca3.pem -cert user_cert.pem -CAfile all_ca_chain.pem > -url http://localhost:2560 -text > > I'm getting : > > Response Verify Failure > 8076:error:2706A067:OCSP routines:OCSP_CHECK_DELEGATED:missing ocspsigning > usage:ocsp_vfy.c:348: > 8076:error:27069070:OCSP routines:OCSP_basic_verify:root ca not > trusted:ocsp_vfy.c:148: > user_cert.pem: good It means that your OCSPD server certificate is missing the correct OIDs (tm). By googling quickly: http://www.redhat.com/docs/manuals/cert-system/admin/7.1/app_ext.html > Did somebody has working OCSPD with CA hierarchy and can comment here how to > configure OCSPD and form openssl ocsp request string? I do not have a CA hierarchy per say (just one CA), but here is the request I usually launch: openssl ocsp -issuer ./cacert.pem -CAfile ./cacert.pem \ -url http://a.b.c.d:port -serial some_serial_number > And did somebody knows the meaning of "max_childs_num" configuration > parameter and his value? OCSPD pre-forks a certain number of children at start-up. It behaves just like Apache 1, if you want. More children = takes more ressources = less likely to have all children busy when a new request comes Less children = takes less ressources = more likely to have all children busy when a new request comes Considering the very light memory foot print, I started with a value of 20, but I do not have much experience of how it behaves under real load. -- Guillaume Tamboise "First they ignore you, then they laugh at you, then they fight you, then you win." -- Gandhi ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
