On Tue, Mar 23, 2010, PGNet Dev wrote: > testing an ocsp query to a local openssl ocsp 'server', > > openssl ocsp \ > -issuer /svr/demoCA/certs/CA/CA.cert.pem \ > -cert /svr/demoCA/certs/domains/testdomain.cert.pem \ > -url http://localhost:8888 \ > -resp_text > > i get what seems to be a "successful" response of "good" CertStatus, > > OCSP Response Data: > OCSP Response Status: successful (0x0) > Response Type: Basic OCSP Response > Version: 1 (0x0) > Responder Id: DC = Auth, DC = testdomain, DC = loc, CN = OCSP > Responder, O = MyCO, OU = http://testdomain.loc/Auth, L = myCity, ST = > NY, C = US > Produced At: Mar 24 00:53:07 2010 GMT > Responses: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 573...DAF > Issuer Key Hash: E70...B7E > Serial Number: 126...498 > Cert Status: good > This Update: Mar 24 00:53:07 2010 GMT > > Response Extensions: > OCSP Nonce: > 041...37A > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1 (0x1) > Signature Algorithm: sha512WithRSAEncryption > Issuer: DC=Auth, DC=tesdomain, DC=loc, CN=MyCO CA, O=MyCO, > OU=http:\/\/testdomain.loc\/Auth, L=myCity, ST=CA, C=US > Validity > Not Before: Mar 24 00:11:10 2010 GMT > Not After : Mar 21 00:11:10 2020 GMT > Subject: DC=Auth, DC=tesdomain, DC=loc, CN=OCSP Responder, > O=MyCO, OU=http://testdomain.loc/Auth, L=myCity, ST=CA, C=US > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (4096 bit) > Modulus (4096 bit): > 00:c4:d3:65:59:1d:04:be:d7:bb:5d:46:b2:d2:88: > ... > 88:bf:3f:11:68:db:08:f8:ba:ae:02:1f:07:14:78: > 27:33:e9 > Exponent: 65537 (0x10001) > X509v3 extensions: > Netscape Cert Type: > SSL Client, SSL Server, S/MIME, Object Signing > Netscape Comment: > OpenSSL OCSP Responder Certificate > X509v3 Key Usage: critical > Digital Signature > X509v3 Extended Key Usage: > OCSP Signing > X509v3 Basic Constraints: > CA:FALSE > X509v3 Subject Alternative Name: critical > DNS:ocsp.testdomain.loc > Signature Algorithm: sha512WithRSAEncryption > 82:83:5f:86:1d:23:b4:e1:23:cb:04:e6:8e:f6:a1:e6:4a:3f: > ... > 3f:b2:23:8b:d9:b1:39:53 > -----BEGIN CERTIFICATE----- > MIIG6zCCBNOgAwIBAgIBATANBgkqhkiG9w0BAQ0FADCB9TEYMBYGCgmSJomT8ixk > ... > +6HEmqK1GCxcDsDUV+nlZ7Rcq4tZgk5b0fK4YiK25YRxtGM/f2hCP7Iji9mxOVM= > -----END CERTIFICATE----- > Response Verify Failure > 32044:error:27069065:OCSP routines:OCSP_basic_verify:certificate > verify error:ocsp_vfy.c:122:Verify error:unable to get local issuer > certificate > /svr/demoCA/certs/domains/testdomain.cert.pem: good > This Update: Mar 24 00:53:07 2010 GMT > > > But still get this complaint about "local issuer certificate", which, > iiuc, has to be available to get the query result back in the 1st > place. > > Or does this error mean something else -- if so, what might that be? >
The path of the responder certificate has to be validated so you need to pass the root CA using the -CAfile or -CApath command line arguments. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
