On March 5, 2010 01:41:48 am Nagendra_U_M wrote: > Hi All, > > I just started working on OCSP... If I may ask, what are you working on - writing a client, or writing a server, or using it in some other way?
> And I am trying to set up an OCSP responder using the OpenSSL CLI commands. > Right now, my index.txt file is blank and zero-size (created using the > "touch" command). > You are aware of the warnings that are all over the CLI OCSP bits that say "for testing only, do NOT use as a real production OCSP responder" - right? :) > I want to know how to fill in revocation information into the index.txt > file, and in what format? (so that I can get a "BAD" OCSP response for > revoked certs). > Same as the format generated by the openssl ca command. > Also, the zero-size index.txt file results in an "UNKNOWN" OCSP response > all the time. > What do I need to do so that my OCSP Responder returns a "GOOD" response > for those certs NOT in the revoked list?? > The OCSP responder MUST only respond "good" for certificates it absolutely knows about - if it is uncertain of the status (i.e. that serial number does not appear in the index.txt), then it MUST respond with unknown. > My CRL is generated in *.pem X.509 format...How can I convert that into > revocation info stored inside index.txt file?? > Don't convert the CRL - you don't have enough information - use the index.txt file from your CA directly. Keep in mind that for your responses to be considered valid by just about all implementations out there, the OCSP responder must either sign the responses with the CA's keys (bad idea, for a number of good security reasons), or with a specific key and associated certificate certified by the CA for the OCSP responder (with EKU OCSPSigning, and preferably the ocsp-no-check extension defined to avoid chicken and egg issues). If you don't have the index.txt file from your CA, then you are either probably not authorised to sign ocsp responses, so no matter what you do, a proper client will fail; or in the case where your CA isn't an openssl one but you ARE allowed to publish OCSP status, in which case you need to find a way to export the internal database of certificates used by that CA, and translate it to the format used by the openssl ca command. A representative sample is below: R 130110200751Z 100201142709Z,superseded 8E unknown /O=Example/CN=Foo V 130119193554Z 8F unknown /O=Example/CN=Bar Field 1: Status - R = Revoked, V=Valid Field 2: Issued on(Valid start) Field 3: Revoked on (with a comma value for the reason) Field 4: Certificate Serial Number Field 5: Unused - always "unknown" Field 6: Subject DN of certificate The file is tab delimited, if I am not mistaken. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
