Hi Konrads: No, in order for trust model 2 to work, the OCSP responder would have to be signed by the intermediate CA, not the root CA.
The "Root CA is authoritative to delegate OCSP responses over the entire subCA tree" (which is the model you are using), is unsupported under RFC2560. Change your OCSP responder to use a certificate signed by the SubCA, and everything will work. Best Regards, Patrick. On March 23, 2010 01:07:52 pm Konrads Smelkovs wrote: > Hi, > The OCSP responder has EKU=OCSP: > > X509v3 extensions: > X509v3 Subject Key Identifier: > 2B:6E:08:08:9D:92:5A:59:CB:BB:46:89:77:E8:A0:17:47:82:88:5C > X509v3 Extended Key Usage: > OCSP > X509v3 Key Usage: > Digital Signature, Non Repudiation > X509v3 Authority Key Identifier: > > keyid:CC:C3:F5:66:FF:73:AC:38:5A:96:1B:21:89:B8:81:4C:1F:CB:5E:25 > I attached OCSP cert. I believe this is setup #2 you described. > -- > Konrads Smelkovs > Applied IT sorcery. > > On Tue, Mar 23, 2010 at 5:39 PM, Dr. Stephen Henson <st...@openssl.org>wrote: > > On Tue, Mar 23, 2010, Konrads Smelkovs wrote: > > > Hello, > > > > > > I am running OpenSSL 0.9.8g 19 Oct 2007. I have a certificate for which > > > I want to check OCSP response. > > > Root chain is added to root list. OpenSSL says all of it is OK: > > > Chain has three level architecture - Root which Signs OCSP & Policy, > > > > Policy > > > > > which signs issuing CA which signs subscriber CA. > > > > > > $ openssl verify ksmelkovs.pem # Cert to verify > > > ksmelkovs.pem: OK > > > > > > $ openssl verify tssp.pem # OCSP responder cert > > > tssp.pem: OK > > > > > > $ openssl verify cacers/*vas*rca*pem > > > cacers/vas latvijas pasts ssi(rca).pem: OK > > > > > > > > > $ x509 <ksmelkovs.pem -text |grep ocsp > > > OCSP - URI:http://ocsp.e-me.lv/responder.eme > > > $ x509 <ksmelkovs.pem -text |grep Issue > > > Issuer: C=LV, O=VAS Latvijas Pasts - Vien.reg.Nr.40003052790, > > > OU=Sertifikacijas pakalpojumi, CN=VAS Latvijas Pasts SI(CA2) > > > > > > $ ocsp -issuer cacers/*ca2*pem -cert ksmelkovs.pem -url > > > http://ocsp.e-me.lv/responder.eme > > > *Response Verify Failure > > > 5083:error:27069070:OCSP routines:OCSP_basic_verify:root ca not > > > trusted:ocsp_vfy.c:148: > > > *ksmelkovs.pem: good > > > This Update: Mar 23 11:29:33 2010 GMT > > > konr...@konrads-laptop:~/Sertifikati$ openssl verify ksmelkovs.pem > > > ksmelkovs.pem: OK > > > > > > Copies of these certs are uploaded here: http://drop.io/lykqq21# > > > > > > > > > The 64k USD question: If I have entire trust chain in trusted list, > > > then > > > > why > > > > > would it complain? > > > > There are two automatic trust models for OCSP responder certificates. One > > is > > the CA key that signed the certificate also signs responses: that isn't > > recommended for security reasons. The other is that the CA signs a > > responder > > certificate with an OCSP signing EKU extension and responses are signed > > by the > > corresponsing private key. > > > > Your setup doesn't seem to cover either case. You can explicitly trust > > the responder certificate with the -VAfile option or add explicit OCSP > > signing trust to the root. > > > > Steve. > > -- > > Dr Stephen N. Henson. OpenSSL project core developer. > > Commercial tech support now available see: http://www.openssl.org > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager majord...@openssl.org -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
