*Thanks for the quick answer*, actually command line is good as it would be
done in a
child process using a secure vault for password creation that no admin knows
anyway or makes up.
No human is involved is always the best solution. Can't trust those humans.
thanks.
I enclosed the correct code
> From: owner-openssl-us...@openssl.org On Behalf Of redpath
> Sent: Thursday, 18 July, 2013 11:03
> *I found the issue and fixed it but that leads to a question
> of security*
> The error is here. The x509 that I want to check I also provide as the
> issuer
> since it was issued by the same issu
*I found the issue and fixed it but that leads to a question of security*
The error is here. The x509 that I want to check I also provide as the
issuer
since it was issued by the same issuer.
x <== is the X509 loaded
req->url = url;
req->cert = x;
req->issuer = x;
but instead
Yes this does work good
openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1000 -text -url
http://127.0.0.1:8082
and returns the good though there is a verify failure.
Response Verify Failure
140735283018172:error:27069065:OCSP routines:OCSP_basic_verify:certificate
verify error:ocsp_vfy.c:126:
On Thu, Jul 18, 2013, redpath wrote:
>
> I then run this command
>
> *openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1000 -text *
> OCSP Request Data:
> Version: 1 (0x0)
> Requestor List:
> Certificate ID:
> Hash Algorithm: sha1
> Issuer Name Hash: *D56D194
On Thu, Jul 18, 2013, redpath wrote:
> *To recap I cleaned all the directories to assure nothing is wrong in them.*
> *I still get a unknown response.*
> These commands were run from a directory and produced the following output
> to setup the OpenSSL OCSP Server
>
> *The output of the server is*
*To recap I cleaned all the directories to assure nothing is wrong in them.*
*I still get a unknown response.*
These commands were run from a directory and produced the following output
to setup the OpenSSL OCSP Server
*rm -R demoCA
mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
cd demoCA
On Wed, Jul 17, 2013, redpath wrote:
> Got the OCSP Server to respond to the test OCSP request program nicely.
> *Of course one more question.*
>
> I simply had to setup the infrastructure for the OSCP server excerpted
> below.
> to create the signing key and directories.
>
> mkdir demoCA
> mkd
Got the OCSP Server to respond to the test OCSP request program nicely.
*Of course one more question.*
I simply had to setup the infrastructure for the OSCP server excerpted
below.
to create the signing key and directories.
mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
chmod demoCA
tou
> From: owner-openssl-us...@openssl.org On Behalf Of redpath
> Sent: Tuesday, 16 July, 2013 11:13
> I was able to piece together a test application (enclosed
> below) which loads an x509 file and performs
> an OSCP request programmatically. I created a server to dump
> what is written at the po
I was able to piece together a test application (enclosed below) which loads
an x509 file and performs
an OSCP request programmatically. I created a server to dump what is written
at the port.
The result is shown below.
POST
[ /][Content-Type:application/ocsp-request]
[Content-Length:113]
0o0m0F0
On Tue, Jul 16, 2013, redpath wrote:
> To make this more clear, I simply have an X509 and want to programmatically
> create a OSCP request to check status for the cert.
>
You also need the CA certificate as the hash of the CA public key is
needed.
> There are no examples other than openssl comm
> There are no examples other than openssl commands, I have a program on a
> device and need to programmatically check x509 periodically.
That is generally true of most openssl-based "applications"
You'll have to start by reading and learning apps/ocsp.c
/r$
--
Principal Security Eng
To make this more clear, I simply have an X509 and want to programmatically
create a OSCP request to check status for the cert.
There are no examples other than openssl commands, I have a program on a
device and
need to programmatically check x509 periodically.
Thanks in advance.
--
View thi
14 matches
Mail list logo