Hi,
The OCSP responder has EKU=OCSP:
X509v3 extensions:
X509v3 Subject Key Identifier:
2B:6E:08:08:9D:92:5A:59:CB:BB:46:89:77:E8:A0:17:47:82:88:5C
X509v3 Extended Key Usage:
OCSP
X509v3 Key Usage:
Digital Signature, Non Repudiation
X509v3 Authority Key Identifier:keyid:CC:C3:F5:66:FF:73:AC:38:5A:96:1B:21:89:B8:81:4C:1F:CB:5E:25 I attached OCSP cert. I believe this is setup #2 you described. -- Konrads Smelkovs Applied IT sorcery. On Tue, Mar 23, 2010 at 5:39 PM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Tue, Mar 23, 2010, Konrads Smelkovs wrote: > > > Hello, > > > > I am running OpenSSL 0.9.8g 19 Oct 2007. I have a certificate for which I > > want to check OCSP response. > > Root chain is added to root list. OpenSSL says all of it is OK: > > Chain has three level architecture - Root which Signs OCSP & Policy, > Policy > > which signs issuing CA which signs subscriber CA. > > > > $ openssl verify ksmelkovs.pem # Cert to verify > > ksmelkovs.pem: OK > > > > $ openssl verify tssp.pem # OCSP responder cert > > tssp.pem: OK > > > > $ openssl verify cacers/*vas*rca*pem > > cacers/vas latvijas pasts ssi(rca).pem: OK > > > > > > $ x509 <ksmelkovs.pem -text |grep ocsp > > OCSP - URI:http://ocsp.e-me.lv/responder.eme > > $ x509 <ksmelkovs.pem -text |grep Issue > > Issuer: C=LV, O=VAS Latvijas Pasts - Vien.reg.Nr.40003052790, > > OU=Sertifikacijas pakalpojumi, CN=VAS Latvijas Pasts SI(CA2) > > > > $ ocsp -issuer cacers/*ca2*pem -cert ksmelkovs.pem -url > > http://ocsp.e-me.lv/responder.eme > > *Response Verify Failure > > 5083:error:27069070:OCSP routines:OCSP_basic_verify:root ca not > > trusted:ocsp_vfy.c:148: > > *ksmelkovs.pem: good > > This Update: Mar 23 11:29:33 2010 GMT > > konr...@konrads-laptop:~/Sertifikati$ openssl verify ksmelkovs.pem > > ksmelkovs.pem: OK > > > > Copies of these certs are uploaded here: http://drop.io/lykqq21# > > > > > > The 64k USD question: If I have entire trust chain in trusted list, then > why > > would it complain? > > There are two automatic trust models for OCSP responder certificates. One > is > the CA key that signed the certificate also signs responses: that isn't > recommended for security reasons. The other is that the CA signs a > responder > certificate with an OCSP signing EKU extension and responses are signed by > the > corresponsing private key. > > Your setup doesn't seem to cover either case. You can explicitly trust the > responder certificate with the -VAfile option or add explicit OCSP signing > trust to the root. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
tssp-lp.pem
Description: Binary data
