On Mon, Dec 10, 2012, Walter H. wrote: > Hello, > > I have created a self signed root CA certificate, and two other CA > certificate, that I signed with this self signed root certificate; > and these SubCA certificates are used for signing requests; > > with the root CA I signed also a certificate, with the purpose of > signing OCSP Responder; using parameter -addtrust OCSPSigning > when calling openssl x509 and also with 'extendedKeyUsage = > OCSPSigning' in my openssl.cnf; > > so I have the following files > > the CA database: index.txt > the RootCA certificate: rootCA.pem ( private key: rooCA.key ) > the 1st SubCA certificate: sub1CA.pem ( private key: sub1CA.key ) > the 2nd SubCA certificate: sub2CA.pem ( private key: sub2CA.key ) > > the OCSPrsp certificate: ocsprsp.pem ( private key: ocsprsp.key ) > > a chained certificate: chained.pem > that is created like this: ( cat sub1CA.pem; cat sub2CA.pem; cat > rootCA.pem ) >chained.pem > > inside the CGI skript - bash - I call OpenSSL like this: > > openssl ocsp -index index.txt -CAfile rootCA.pem -CA chained.pem > -rsigner ocsprsp.pem -rkey ocsprsp.key -nmin 5 -reqin ocspreq.in > -respout ocspresp.out 2>&1 >>./output.log > > is this correct? > do I have to decide which of the two SubCA certificates issued the > certificate before calling this in the CGI skript? > > the following - as a test of the ocsp responder - > > openssl ocsp -issuer sub1CA.pem -cert mycert.pem -CAfile rootCA.pem > -CA chained.pem -url <ur-to-ocsp> > > gives the following :-( > > Error querying OCSP responsder > 9333:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong > tag:tasn_dec.c:959: > 9333:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested > asn1 error:tasn_dec.c:304:Type=OCSP_RESPONSE > 9333:error:2707003A:OCSP routines:OCSP_sendreq_bio:nested asn1 > error:ocsp_ht.c:161: > > what is wrong; when I browse with Firefox to a server that has such > a generated certificate, then the CGI skript is called; > but not with this test? >
Check the server logs to see if the web server is being accessed at the appropriate URL. Also you may need to add the Host header to the request as it isn't included by default. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
