Re: [openssl-users] Problem checking certificate with OCSP

[Walter H.]

On 5.10.2015 17:11, Dr. Stephen Henson wrote:

On Mon, Oct 05, 2015, Walter H. wrote:

Hello,

attached is the certificate and its chain of  https://revoked.grc.com/

doing this:

openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url
http://ocsp2.globalsign.com/gsdomainvalg2

goves the following:

OCSP Request Data:
     Version: 1 (0x0)
     Requestor List:
         Certificate ID:
           Hash Algorithm: sha1
           Issuer Name Hash: 45658DA20174402FF48B3A6AC0BC69208095C7CA
           Issuer Key Hash: 96ADFAB05BB983642A76C21C8A69DA42DCFEFD28
           Serial Number: 112155688D380775DA34C5DF97433ED3F6A7
Error querying OCSP responsder
139928584042312:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response
error:ocsp_ht.c:250:Code=403,Reason=Forbidden

where is the problem for this strange error?

Some OCSP responders need the host header, try adding:

         -header Host ocsp2.globalsign.com

Thanks for this hint;

When doing this

openssl ocsp -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -no_nonce -issuer 
issuer.pem -cert cert.pem -text -url http://ocsp2.globalsign.com/gsdomainvalg2 
-header Host ocsp2.globalsign.com

ca-bundle.trust.crt is the certstore of my centos
issuer.pem is the intermediate certificate, used signing cert.pem
cert.pem is the certificate that should be checked

then I get this error:

Response Verify Failure

srvr.pem: revoked
        This Update: Oct 13 07:20:48 2015 GMT
        Next Update: Oct 16 07:20:48 2015 GMT
        Reason: unspecified
        Revocation Time: Apr 23 15:44:10 2014 GMT


then it works;

I want to do the following:

I get the server certificate and the chain except of the root;


so I have 3 files

cert.pem   the certificate itself
issuer.pem  the intermediate that was used signing the certificate

the following script should do the job ...

#!/bin/sh
CAFILE=/etc/pki/tls/certs/ca-bundle.trust.crt
CERT=srvr.pem
ISSUER=issuer.pem

OCSPURL=$(openssl x509 -in $CERT -noout -ocsp_uri)
OCSPHOST=$(echo "$OCSPURL" |gawk -F\/ '{ print $3 }' -)



but failes with



why?



Thanks,
Walter

139966083565384:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate when I use use chain.pem (contains both the intermediate and the root certificate) as -CAfile and then I want to verify with this, if the certificate is valid, revoked or has expired chain.pem any certificate of the chain except the certificate itself and the root openssl ocsp -CAfile $CAFILE -no_nonce -issuer $ISSUER -cert $CERT -url "$OCSPURL" -header Host $OCSPHOST 139966083565384:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate it can't be the solution to generate a new "cert store" (the concat of chain.pem and the real cert store) for each certificate I want to verify ...

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users