Hodie IV Non. Oct. MMX, shizumi scripsit: > i using openssl test tool by using this command > > openssl.exe ocsp -issuer "issuer.pem" -CAfile "CACert.pem" -cert > "Certificate.pem" -url http://192.168.0.235:8080/myCA/publicweb/status/ocsp > > my CACert and issuer cert already expired.
If either the CA cert or the user cert has expired, then asking for a revocation status is not necessary, the certificate is not currently valid. X.509 standard says that the CA warrants to maintain information about the status of the certificate during its valitidy period (validity of the issued certificate). > but it still return me "respond > verify OK". i see in my ca server. it show me error "cannot found in > database" Strange. Are you sure you're asking the right CA? Did you use the "-updatedb" option of "openssl ca" command, to delete expired certificates from its database? If yes, then you've got the reason of this message. >From the CA, it's dangerous to reply with an OK status when this certificate can't be found (an unknown status would be better). But in the end, everything has expired, so that's not really a problem. -- Erwann ABALEA <erwann.aba...@keynectis.com> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org