RE: [openssl-users] OpenSSL OCSP
Hi, The tests were made on a 0.9.8 version. I will update to a 1.0 or higher and keep you inform. regardsadrien Ps: does anyone know why the engine option is not available with ocsp and the private key must be in a file instead of store securely in a HSM ?From: smad...@adobe.com To: openssl-users@openssl.org CC: apis...@hotmail.com Date: Tue, 14 Aug 2012 11:29:53 -0700 Subject: RE: [openssl-users] OpenSSL OCSP Hi Adrien, Just out of curiosity, what version of OpenSSL are you using? I can get OCSP to work with version 0.9.8, but not 1.0 or later and I’m looking to see if anyone else has had any luck with the current version. Thanks,Steve From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erwann Abalea Sent: Tuesday, August 14, 2012 10:35 AM To: openssl-users@openssl.org Cc: adrien pisarz Subject: Re: [openssl-users] OpenSSL OCSP Bonjour, Answers inline. -- Erwann ABALEA Le 14/08/2012 19:03, adrien pisarz a écrit :Hi, I have several questions about the ocsp functionnality. I read many articles before asking those questions and unfortunetaly I still don't have the answers. Maybe you can help me. Fist of all, here is my ocsp configuration : openssl ocsp -index index_prod.txt -CAfile OpCA.pem -rsigner ocsp.crt -rkey ocsp.key -port 3456 -text -out /home/userocsp/ocsp_responder.log The file index is populated by a self-made script, the ocsp.crt (resp. key) is a certificate (resp. key) which contains the ocsp signature extensions the OpCA.pem contains the subAC certificate Here are my questions : 1. Why the ocsp client work only if the -VAFile is set and otherwise I got a signature error ? Is there a way to solve this issue ? Maybe because the responder is not one of: - the CA that signed the certificate you're requesting the status on - a designated responder directly signed by the CA that signed the certificate you're requesting the status on Reread RFC2560. If you're instanciating the third possible responder type (trusted responder whose public key is trusted by the requester), then you obviously need to inform the client/requester. You didn't provide elements on who signed who, so that's just a guess. 2. If I wan manage several subAC should I open a port foreach subCA ? With the command-line tool, yes. If you need to have more CAs, then you could probably try something more suited than the command-line tools. The command-line tool also doesn't respond to GET requests, only POST ones. 3. Why the ocsp responder requires that all the certificates (even the valide's one) must be present in the index.txt in order to provide a correct answer ? I was expected that openssl will check the certificate signature and if the serial is not present in the index.txt, it will answer good and not unknow. Design choice. You're giving the responder a database, so it supposed to know *all* the certificates. OCSP can be based on CRLs (black-list), but that's not implemented by the tool. If that's what you want, you'll have to write your own. 4. As said, the openssl responder is working but a IHS server is not abble to validate his answer and I got those errors : [...]Does anyone know how to configure an IHS with an openssl ocsp responder ? You may ask your provider for this, not OpenSSL.
Re: [openssl-users] OpenSSL OCSP
Le 16/08/2012 18:38, adrien pisarz a écrit : Ps: does anyone know why the engine option is not available with ocsp and the private key must be in a file instead of store securely in a HSM ? As said by Dr Henson, this is only a testing tool, not a production service. If you need a production-grade system, you'll have to write your own using the API. -- Erwann ABALEA
Re: [openssl-users] OpenSSL OCSP
Bonjour, Answers inline. -- Erwann ABALEA Le 14/08/2012 19:03, adrien pisarz a écrit : Hi, I have several questions about the ocsp functionnality. I read many articles before asking those questions and unfortunetaly I still don't have the answers. Maybe you can help me. Fist of all, here is my ocsp configuration : openssl ocsp -index index_prod.txt -CAfile OpCA.pem -rsigner ocsp.crt -rkey ocsp.key -port 3456 -text -out /home/userocsp/ocsp_responder.log The file index is populated by a self-made script, the ocsp.crt (resp. key) is a certificate (resp. key) which contains the ocsp signature extensions the OpCA.pem contains the subAC certificate Here are my questions : 1. Why the ocsp client work only if the -VAFile is set and otherwise I got a signature error ? Is there a way to solve this issue ? Maybe because the responder is not one of: - the CA that signed the certificate you're requesting the status on - a designated responder directly signed by the CA that signed the certificate you're requesting the status on Reread RFC2560. If you're instanciating the third possible responder type (trusted responder whose public key is trusted by the requester), then you obviously need to inform the client/requester. You didn't provide elements on who signed who, so that's just a guess. 2. If I wan manage several subAC should I open a port foreach subCA ? With the command-line tool, yes. If you need to have more CAs, then you could probably try something more suited than the command-line tools. The command-line tool also doesn't respond to GET requests, only POST ones. 3. Why the ocsp responder requires that all the certificates (even the valide's one) must be present in the index.txt in order to provide a correct answer ? I was expected that openssl will check the certificate signature and if the serial is not present in the index.txt, it will answer good and not unknow. Design choice. You're giving the responder a database, so it supposed to know *all* the certificates. OCSP can be based on CRLs (black-list), but that's not implemented by the tool. If that's what you want, you'll have to write your own. 4. As said, the openssl responder is working but a IHS server is not abble to validate his answer and I got those errors : [...] Does anyone know how to configure an IHS with an openssl ocsp responder ? You may ask your provider for this, not OpenSSL.
RE: [openssl-users] OpenSSL OCSP
Hi, Thanks for your reply and all the information provided. regarding the 3. question, you are right, I want to have an OCSP responder based on CRL. For information, the index file is written by parsing a CRL file but I don't want to write into this file all the valid certificates as an enrolment be done and my index file may not be synchronized. I have an other question, why the engine option is not available with the ocsp options ? It's not possible to have the key embeded in a HSM ? Regards,AdrienDate: Tue, 14 Aug 2012 19:35:12 +0200 From: erwann.aba...@keynectis.com To: openssl-users@openssl.org CC: apis...@hotmail.com Subject: Re: [openssl-users] OpenSSL OCSP Bonjour, Answers inline. -- Erwann ABALEA Le 14/08/2012 19:03, adrien pisarz a écrit : Hi, I have several questions about the ocsp functionnality. I read many articles before asking those questions and unfortunetaly I still don't have the answers. Maybe you can help me. Fist of all, here is my ocsp configuration : openssl ocsp -index index_prod.txt -CAfile OpCA.pem -rsigner ocsp.crt -rkey ocsp.key -port 3456 -text -out /home/userocsp/ocsp_responder.log The file index is populated by a self-made script, the ocsp.crt (resp. key) is a certificate (resp. key) which contains the ocsp signature extensions the OpCA.pem contains the subAC certificate Here are my questions : 1. Why the ocsp client work only if the -VAFile is set and otherwise I got a signature error ? Is there a way to solve this issue ? Maybe because the responder is not one of: - the CA that signed the certificate you're requesting the status on - a designated responder directly signed by the CA that signed the certificate you're requesting the status on Reread RFC2560. If you're instanciating the third possible responder type (trusted responder whose public key is trusted by the requester), then you obviously need to inform the client/requester. You didn't provide elements on who signed who, so that's just a guess. 2. If I wan manage several subAC should I open a port foreach subCA ? With the command-line tool, yes. If you need to have more CAs, then you could probably try something more suited than the command-line tools. The command-line tool also doesn't respond to GET requests, only POST ones. 3. Why the ocsp responder requires that all the certificates (even the valide's one) must be present in the index.txt in order to provide a correct answer ? I was expected that openssl will check the certificate signature and if the serial is not present in the index.txt, it will answer good and not unknow. Design choice. You're giving the responder a database, so it supposed to know *all* the certificates. OCSP can be based on CRLs (black-list), but that's not implemented by the tool. If that's what you want, you'll have to write your own. 4. As said, the openssl responder is working but a IHS server is not abble to validate his answer and I got those errors : [...] Does anyone know how to configure an IHS with an openssl ocsp responder ? You may ask your provider for this, not OpenSSL.
Re: [openssl-users] OpenSSL OCSP
On Tue, Aug 14, 2012, adrien pisarz wrote: For information, the index file is written by parsing a CRL file but I don't want to write into this file all the valid certificates as an enrolment be done and my index file may not be synchronized. I have an other question, why the engine option is not available with the ocsp options ? It's not possible to have the key embeded in a HSM ? You should note that the ocsp utility responder functionality is only meant to use used for test purposes. It isn't really usable as a full blown responder: it can only handle one request at a time for example. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org