[Openca-Users] OCSPD and Sub-CA's

Fri, 10 Nov 2006 09:02:05 -0800 

Hi everybody,

I have a problem with configuring the OCSPD Responder with Sub CA's.


My PKI :

             CA
             |
             |

SubCA1        SubCA2   OCSP Responder
| | | | 
subca1_crl    subca2_crl


1. My OCSP Responder is signed by the CA
2. I have 2 SubCA signed by the CA
3. SubCA1 signed the subca1_crl
SubCA2 signed the subca2_crl 


I tried this configuration for ocspd.conf :

ca_certificate    = $dir/certs/ca_cert.pem      # The CA certificate
ocspd_certificate = $dir/certs/ocsp_cert.pem    # The OCSP server cert
ocspd_key         = $dir/private/ocsp_priv.pem  # The OCSP server key

ocsp_add_response_certs = $dir/certs/chain_certs.pem #(concatenation of 
ca_cert.pem and ocsp_cert.pem)

0.ca = @first_ca
1.ca = @second_ca

####################################################################
[ first_ca ]
# You can have the CRL on a simple file in PEM format
crl_url = file:////$dir/crls/subca1_crl.pem

# We need the CA certificate for every supported CRL
ca_url  = file:////$dir/certs/subca1_cert.pem

####################################################################
[ second_ca ]

# You can have the CRL on a simple file in PEM format
crl_url = file:////$dir/crls/subca2_crl.pem

# We need the CA certificate for every supported CRL
ca_url  = file:////$dir/certs/subca2_cert.pem
And when I test the Responder with the Openssl OCSP Client : 
$openssl ocsp -issuer subca1_cert.pem -CAfile chain_certs.pem -url 
http://localhost:2560 -serial 1

Response Verify Failure
7191:error:27069070:OCSP routines:OCSP_basic_verify:root ca not 
trusted:ocsp_vfy.c:148:
1: good
       This Update: Nov  9 16:19:25 2006 GMT
       Next Update: Nov 10 16:56:11 2006 GMT



Questions
---------
1. Can a OCSP Responder signed by the CA work with CRL signed by SubCA's ?
2. what about "ocsp_add_response_certs" ? I cat ca_cert.pem and ocsp_cert.pem 
but is this the correcte value ?


Thanks in advance !

rpki.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to