OpenSSL OCSP Responder used in a CGI Skript

Tue, 11 Dec 2012 02:31:17 -0800 

Hello,
I have created a self signed root CA certificate, and two other CA certificate, that I signed with this self signed root certificate; 
and these SubCA certificates are used for signing requests;
with the root CA I signed also a certificate, with the purpose of signing OCSP Responder; using parameter -addtrust OCSPSigning when calling openssl x509 and also with 'extendedKeyUsage = OCSPSigning' in my openssl.cnf; 

so I have the following files

the CA database:         index.txt
the RootCA certificate:   rootCA.pem      ( private key: rooCA.key )
the 1st SubCA certificate:  sub1CA.pem  ( private key: sub1CA.key )
the 2nd SubCA certificate:  sub2CA.pem ( private key: sub2CA.key )

the OCSPrsp certificate:   ocsprsp.pem  ( private key: ocsprsp.key )

a chained certificate:      chained.pem
that is created like this: ( cat sub1CA.pem; cat sub2CA.pem; cat rootCA.pem ) >chained.pem 

inside the CGI skript - bash - I call OpenSSL like this:
openssl ocsp -index index.txt -CAfile rootCA.pem -CA chained.pem -rsigner ocsprsp.pem -rkey ocsprsp.key -nmin 5 -reqin ocspreq.in -respout ocspresp.out 2>&1 >>./output.log 

is this correct?
do I have to decide which of the two SubCA certificates issued the certificate before calling this in the CGI skript? 

the following - as a test of the ocsp responder -
openssl ocsp -issuer sub1CA.pem -cert mycert.pem -CAfile rootCA.pem -CA chained.pem -url <ur-to-ocsp> 

gives the following :-(

Error querying OCSP responsder
9333:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:959: 9333:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=OCSP_RESPONSE 9333:error:2707003A:OCSP routines:OCSP_sendreq_bio:nested asn1 error:ocsp_ht.c:161:
what is wrong; when I browse with Firefox to a server that has such a generated certificate, then the CGI skript is called; 
but not with this test?

Please help me,
Thanks.

Greetings from Austria,
Walter Höhlhubmer
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to