Hi, From my work in this area, I found that the error at the end of the ocsp command is only a problem with the running of the command - the contents of the file produced are not impacted.
However, the way to avoid the error is to concatenate (doing it in a text editor is fine) all the certs in your chain - in PEM format - into a file (chain.pem or similar) and supply this file as the parameter to your -Cafile options. Hope this helps. Nick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon McMahon Sent: Thursday, August 31, 2006 4:49 AM To: openssl-users@openssl.org Subject: ocsp response validation problem Hi, 0.9.8b I'm doing some OCSP testing and I had a little confusion with OCSP response validation. If you leave out -CAfile on the request then the validation fails even in the simple case where the CA is the same as the issuer. The examples in the ocsp(1) doc should include a request that includes the -CAfile argument to make it succeed e.g: openssl ocsp -issuer demoCA/cacert.pem -CAfile demoCA/cacert.pem -url http://localhost:8888 -serial 1 This will work when the server is run as shown in the samples section. If -CAfile is left out then you get a validation error. If you use -CA (a server argument) then it also fails and this is pretty confusing. Note: A sample of how to make a OCSP responder cert with OCSPSigning in the extended key usage would be nice too. When I work this bit out I can send in a sample for that if that helps. Simon McMahon ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
