> From: owner-openssl-us...@openssl.org On Behalf Of redpath > Sent: Tuesday, 16 July, 2013 11:13
> I was able to piece together a test application (enclosed > below) which loads an x509 file and performs > an OSCP request programmatically. I created a server to dump > what is written at the port. <snip> > It looks like it created the OSCP request but I want to use > the openssl oscp server command to verify it. > You don't need to verify an OCSP request, you do need to respond to it, and commandline ocsp does that. The OCSP response is then used to validate the subject cert (after the response itself is verified). > I have files rsa.pem and RSApublic.x509.0.cert created > already for testing. > I want to use the openssl oscp command to test this > sample program that is sending a OSCP request. To start the > server I use > this openssl command > > openssl ocsp -CAfile rsa.pem -issuer rsa.pem -url http://127.0.0.1:8080 > -resp_text > That doesn't run a server aka responder. Those options, with correct data, might run an ocsp *requester*. You already have coded a requester. > But of course I get an error. > > unable to load certificate > 22315:error:0906D06C:PEM routines:PEM_read_bio:no start > line:/SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/pem/pem_ > lib.c:648:Expecting: > TRUSTED CERTIFICATE > Apparently rsa.pem isn't a cert. What is it? > > *So what is the setup for this oscp command since I already > have a PEM and a > X509 created already? Basically I just want a client to > programmatically > perform a OSCP request for verifying an x509. > To run openssl commandline 'ocsp' as a server/responder, you need to give it an index.txt file. If the cert(s) you want it handle requests for were issued by openssl commandline 'ca', that already built the index.txt file. If so, read the man page under 'OCSP SERVER OPTIONS'. Otherwise you'll have to construct it by hand which isn't going to be easy. <snip code> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
