first of all, thank you Stephen.
Dr. Stephen Henson wrote:
On Sat, May 31, 2003, pablo wrote:
Hi everyone,
this is the first time I post something, so sorry if any mistake is done.
I've been playing with the ocsp implementation of openssl and I got some errors, I've been looking for stuff about the matter but there's no so much info about openssl ocsp, I suppose because of it's a new feature included not so long. I know the implementation is not full and it's not mature at all, I also read http://www.openssl.org/docs/apps/ocsp.html from corner to corner. Well, I won't talk anymore, this is my problem:
I ran the ocsp responder:
$ openssl ocsp -index private/index.txt -port 8890 -CA private/cacert.crt -rkey key/2.key -rsigner certs/2.crt -text -out log.txt
- cacert.crt file is a simple self-signed certificate using the default openssl.cnf config.
- 2.key and 2.crt files are the private key and the certificate for the responder
the netscape certType of the responder certificate is Object signing, as you can see:
$ openssl x509 -inform PEM -in certs/2.crt -text -noout
Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption ... blah
Netscape Cert Type: Object Signing
... blah
the 2.key file is a simple 1024 bit RSA key.
An OCSP responder needs an extended key usage of OCSPSigning with the line:
extendedKeyUsage=OCSPSigning
to work as a delegated OCSP responder.
I've got no errors since I generated a new certificate for the OCSP responder with that extendedKeyUsage, so that was the problem.
...
-----END CERTIFICATE-----
Response verify OK
0x1: revoked
This Update: May 31 22:34:47 2003 GMT
Revocation Time: May 30 18:27:04 2003 GMTNo, I've been using the 'x509' utility to issue certs and the 'ca' utility to revoke, so I'll start using this 'ca' utility right now.
time to make a resquest to the ocsp responder, well, I'll ask for the status of the certificate 0x1:
$ openssl ocsp -issuer private/cacert.crt -serial 0x1 -text -CAfile private/cacert.crt -url http://localhost:8890/
.... blah
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = ES, ST = Andalusia, L = Seville, O = rammataz, OU = computers, CN = responder OCSP prueba, emailAddress = prueba
... blah Cert Status: revoked <--- (cert 0x1 is revoked, it's ok, this is true)
and something else, when I ask for the status of a non-revoked cert I got this:
CertStatus: unknown
I had a look at the index.txt and it seems there's only info about revoked certs so, is that why the reponder said "unknown" when I ask for a-still-valid cert?
It responds unknown because it has no information about the certificate you requested.
How did you create index.txt? It will normally come from a CA which has been maintained using the 'ca' utility. This will then contain information about all certificates issued.
By the way, a line of the index.txt looks like:
R 040524223048Z 030530182704Z 01 unknown /C=ES/ST=Andalusia/L=Seville/O=acme/OU=devel/CN=pablo/[EMAIL PROTECTED]
what's the meaning of the columns number two and three?
Thank you, Pablo
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
