Hi,
Sorry, I forgot the -cert option during the query.
Nicolas.
Le 13/06/2013 11:34, Nicolas ROCHE a écrit :
Hello,
I'm beginning with TSA and I'm wondering if it is possible to validate
a timestamp request against a unique (self signed) certificate.
Now I can do :
$ openssl ts -verify -queryfile file.tsq -in file.tsr -CAfile
demoCA/cacert.pem -untrusted demoCA/tsacert.pem
I add the 'cacert.pem' certificate to the trusted diretory (hash
simlink) but it didn't help :
$ openssl ts -verify -queryfile file.tsq -in file.tsr -CAfile
demoCA/cacert.pem
signer certificate not found
Please, may someone tell me what I'm missing ?
Nicolas.
Here is my testing envirenoment (on debian wheezy) :
#!/bin/bash
# Configuration
cp /etc/ssl/openssl.cnf .
sed -i -e 's/\# extendedKeyUsage/extendedKeyUsage/' openssl.cnf
mkdir demoCA
mkdir demoCA/private
mkdir demoCA/newcerts
touch demoCA/index.txt
echo 0001 demoCA/serial
echo 0001 demoCA/tsaserial
export OPENSSL_CONF=$PWD/openssl.cnf
# CA Cert (no password for the script usage!)
openssl genrsa 1024 demoCA/private/cakey.pem
openssl req -new -x509 -days 365 -key demoCA/private/cakey.pem
demoCA/newcerts/cacert.pem EOF
FR
France
Ulis
Me
RD
CA-Me
nro...@me.fr
EOF
cp demoCA/newcerts/cacert.pem demoCA
# TSA Cert
openssl genrsa 1024 demoCA/private/tsakey.pem
openssl req -new -key demoCA/private/tsakey.pem tsacert.csr EOF
FR
France
Ulis
Me
RD
CA-Me
nro...@me.fr
EOF
openssl ca -in tsacert.csr demoCA/newcerts/tsacert.pem EOF
y
y
EOF
cp demoCA/newcerts/tsacert.pem demoCA
# Token query
cowsay yé file.txt
openssl ts -query -data file.txt -policy tsa_policy1 file.tsq
openssl ts -query -in file.tsq -text
# Token reply
openssl ts -reply -queryfile file.tsq -inkey demoCA/private/tsakey.pem
-signer demoCA/tsacert.pem file.tsr
openssl ts -reply -in file.tsr -text
# Token validation
openssl ts -verify -queryfile file.tsq -in file.tsr -CAfile
demoCA/cacert.pem -untrusted demoCA/tsacert.pem
openssl ts -verify -data file.txt -in file.tsr -CAfile
demoCA/cacert.pem -untrusted demoCA/tsacert.pem
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org