AW: OCSP_basic_verify:root ca not trusted

Wed, 29 Jul 2009 01:36:45 -0700 

> -----Ursprüngliche Nachricht-----
> Von: [email protected] [mailto:owner-openssl-
> [email protected]] Im Auftrag von Dr. Stephen Henson
> Gesendet: Dienstag, 28. Juli 2009 23:43
> An: [email protected]
> Betreff: Re: OCSP_basic_verify:root ca not trusted
> 
> On Tue, Jul 28, 2009, Randy Turner wrote:
> 
> > Is the OCSP response verification algorithm described below
> implemented
> > exclusively by OpenSSL, or is the algorithm an implementation
> > of a particular RFC algorithm?
> >
> 
> It is follows the rules in RFC2560. The CA signing and delegate signing
> are
> taked directly from RFC2560. It also allows a CA which "Matches a local
> configuration of OCSP signing authority for the certificate in
> question" and
> that's the "global responder" configuration option.

[NM] RFC2560 says:

"All definitive response messages SHALL be digitally signed. The key
   used to sign the response MUST belong to one of the following:

   -- the CA who issued the certificate in question
   -- a Trusted Responder whose public key is trusted by the requester
   -- a CA Designated Responder (Authorized Responder) who holds a
      specially marked certificate issued directly by the CA, indicating
      that the responder may issue OCSP responses for that CA"

We have the second case: The responder has to be trusted to answer requests in 
this manner. That's why we already have the responder's signer certificate in 
/etc/ssl/certs. Still, the response verification fails. We probably have to 
trust the root CA for OCSP signing as stated in 
http://www.openssl.org/docs/apps/ocsp.html:

"If the OCSP responder is a ``global responder'' which can give details about 
multiple CAs and has its own separate certificate chain then its root CA can be 
trusted for OCSP signing. For example: 

 openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem"

So that's what we are going to test next...

Mit freundlichen Grüßen / Kind regards
 Natanael Mignon

IT-Dienstleistungen: beraten | planen | umsetzen | betreiben
__________________________________________________________________________ 

fon          (+49) 511 260 911-0 (DW: - 13)
fax          (+49) 511 318 039-9
eMail      [email protected]
web        www.michael-wessel.de

Bitte senden Sie wichtige E-Mails stets auch an [email protected], um 
sicherzustellen, dass diese zeitnah bearbeitet werden.





______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to