It was reported to me that one of our certificates is not verifying via OCSP (it gets an 'unauthorized answer'), so I am trying to determine what is causing that.
I grabbed one cert and the root bundle and did the following: openssl ocsp -CA IPS-IPSCABUNDLE.CRT -issuer IPS-IPSCABUNDLE.CRT -cert /tmp/cert -url http://ocsp.ipsca.com/ -resp_text This resulted in the cert being spit out, and then this at the bottom: Response Verify Failure 14370:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:ocsp_vfy.c:148: /tmp/cert: good This Update: Jun 2 17:21:38 2008 GMT Next Update: Jun 9 17:21:38 2008 GMT Does this mean that the OCSP response is good? How can I get the root CA error resolved? I wasn't sure if the CA and the issuer should be the same in this case? The file I was using is a bundle file intermediate and root cert (from http://certs.ipsca.com/companyIPSipsCA/IPS-IPSCABUNDLE.CRT). Finally, is there a simpler command I can use, perhaps with openssl s_client to do the ocsp check with the values presented in the certificate's extensions (such as where the OCSP url is, etc.), rather than having to download them all and try and piece them together properly? Thanks! Micah ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
