Hi, The tests were made on a 0.9.8 version. I will update to a 1.0 or higher and keep you inform. regardsadrien Ps: does anyone know why the engine option is not available with ocsp and the private key must be in a file instead of store securely in a HSM ?From: smad...@adobe.com To: openssl-users@openssl.org CC: apis...@hotmail.com Date: Tue, 14 Aug 2012 11:29:53 -0700 Subject: RE: [openssl-users] OpenSSL OCSP
Hi Adrien, Just out of curiosity, what version of OpenSSL are you using? I can get OCSP to work with version 0.9.8, but not 1.0 or later and I’m looking to see if anyone else has had any luck with the current version. Thanks,Steve From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erwann Abalea Sent: Tuesday, August 14, 2012 10:35 AM To: openssl-users@openssl.org Cc: adrien pisarz Subject: Re: [openssl-users] OpenSSL OCSP Bonjour, Answers inline. -- Erwann ABALEA Le 14/08/2012 19:03, adrien pisarz a écrit :Hi, I have several questions about the ocsp functionnality. I read many articles before asking those questions and unfortunetaly I still don't have the answers. Maybe you can help me. Fist of all, here is my ocsp configuration : openssl ocsp -index index_prod.txt -CAfile OpCA.pem -rsigner ocsp.crt -rkey ocsp.key -port 3456 -text -out /home/userocsp/ocsp_responder.log The file index is populated by a self-made script, the ocsp.crt (resp. key) is a certificate (resp. key) which contains the ocsp signature extensions the OpCA.pem contains the subAC certificate Here are my questions : 1. Why the ocsp client work only if the -VAFile is set and otherwise I got a signature error ? Is there a way to solve this issue ? Maybe because the responder is not one of: - the CA that signed the certificate you're requesting the status on - a designated responder directly signed by the CA that signed the certificate you're requesting the status on Reread RFC2560. If you're instanciating the third possible responder type (trusted responder whose public key is trusted by the requester), then you obviously need to inform the client/requester. You didn't provide elements on who signed who, so that's just a guess. 2. If I wan manage several subAC should I open a port foreach subCA ? With the command-line tool, yes. If you need to have more CAs, then you could probably try something more suited than the command-line tools. The command-line tool also doesn't respond to GET requests, only POST ones. 3. Why the ocsp responder requires that all the certificates (even the valide's one) must be present in the index.txt in order to provide a correct answer ? I was expected that openssl will check the certificate signature and if the serial is not present in the index.txt, it will answer good and not unknow. Design choice. You're giving the responder a database, so it supposed to know *all* the certificates. OCSP can be based on CRLs (black-list), but that's not implemented by the tool. If that's what you want, you'll have to write your own. 4. As said, the openssl responder is working but a IHS server is not abble to validate his answer and I got those errors : [...]Does anyone know how to configure an IHS with an openssl ocsp responder ? You may ask your provider for this, not OpenSSL.