I hate replying to my own emails, but I've found the issue. It is not really a bug in OCSPd: My B.pem file contained the PEM encoded certificate for B as well as the PEM encoded certificate for A. OCSPd obviously chose to use A as the CA for both entries. My advise is that OCSPd should print a warning to syslog if there is more than one certificate in the file pointed to by ca_url, to prevent others from making the same error as I did.
> Hello! > > I am in the process of setting up an OCSP responder for my PKI and > sadly, I am having some trouble. > > The simplified PKI looks like this: I have a CA A that issued the > certificate for CA B. Both CA A and CA B issue user certificates. > > No matter how I configure OCSPd, it works with CA A (responding with > good/revoked on requests), but it does not work with CA B (always > responding with "unknown", logging "request for non reckognized CA"). > > I have tried the following setups: > > [ ocspd ] > default_ocspd = default_ca > > [ default_ca ] > db = /etc/ocspd/index.txt > md = sha1 > ca_certificate = A.pem > > [ dbms_file ] > 0.ca = @ca_A > 1.ca = @ca_B > > [ ca_A ] > crl_url = file://A-crl.pem > ca_url = file://A.pem > > [ ca_B ] > crl_url = file://B-crl.pem > ca_url = file://B.pem > > ------------------------------- > > [ ocspd ] > default_ocspd = default_ca > > [ default_ca ] > db = /etc/ocspd/index.txt > md = sha1 > ca_certificate = B.pem > > [ dbms_file ] > 0.ca = @ca_B > > [ ca_B ] > crl_url = file://B-crl.pem > ca_url = file://B.pem > > ------------------------------ > > [ ocspd ] > default_ocspd = default_ca > > [ default_ca ] > db = /etc/ocspd/index.txt > md = sha1 > ca_certificate = A.pem > > [ dbms_file ] > 0.ca = @ca_B > > [ ca_B ] > crl_url = file://B-crl.pem > ca_url = file://B.pem > > I checked out the source code and it looks alright - I had a closer look > at the ocspd_CA_ENTRY_find function in hash_db.c, and it always failed > at the comparision between tmp->nameHash and b->issuerNameHash. I did > some more code diving, but I am not familiar enough with OpenSSL and > OCSPd to find the problem. > I could reproduce the problem with a homemade Java OCSP Client and the > OpenSSL OCSP Client, so it seems that there is a bug in OCSPd. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
