Re: OCSP Index File
Nagendra_U_M
Hi All,
I just started working on OCSP...
And I am trying to set up an OCSP responder using the OpenSSL CLI commands.
Right now, my index.txt file is blank and zero-size (created using the
"touch" command).
I want to know how to fill in revocation information into the index.txt
file, and in what format? (so that I can get a "BAD" OCSP response for
revoked certs).
Also, the zero-size index.txt file results in an "UNKNOWN" OCSP response all
the time.
What do I need to do so that my OCSP Responder returns a "GOOD" response for
those certs NOT in the revoked list??
My CRL is generated in *.pem X.509 format...How can I convert that into
revocation info stored inside index.txt file??
I request you to kindly clarify.
Regards,
Nagendra U M
varma d wrote:
>
> Hi,
> Today i was very much excited to see this mailing list on openSSL. I
> searched several messages and its great to see that people here are
> helping
> others.
> I need your help.
>
> I read tutorials on OCSP from http://openvalidation.org about using OCSP
> in
> openssl,
> I have couple of questions.
> 1) I used the following command to send OCSP request and get response from
> OCSP responder.
>
> openSSL>ocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem
> -VAfile
> OCSPServer.pem -cert User.pem
>
> When i am executing this command , i am getting response from OCSP
> responder
> stating that certificate status is good.
> (i have taken this command/files from
> openvalidation.org<http://openvalidation.org>(
> http://www.openvalidation.org/useserviceopenssl.htm))
>
> But, In this command what is the purpose of OCSPServer.pem, i still dont
> understand the purpose of OCSPServer.pem as we need to just send our
> request
> and expect a response from OCSP responder irrespective of
> OCSPServer.pemfile.
>
> If i give my URL as http://ocsp.verisign.com, how can i get verisign's
> OCSPServer.pem. Also how can i get
> latest OCSPServer.pem file for the given URL.
>
> 2)I tested by giving latest user certificates other than
> openvalidation.org<http://openvalidation.org>certificates, but i am
> getting this error
>
> user.pem:WARNING: Status times invalid.
> 3220:error:2707307D:OCSP
> routines:OCSP_check_validity:status
> expired:.\crypto\ocsp\ocsp_cl.c:357:
> unknown
> This Update: Oct 24 06:00:11 2004 GMT
> Next Update: Oct 25 06:00:11 2004 GMT
>
> For this do i need to update my OCSPServer.pem file
>
>
> Thank you for your time and consideration
>
> I would be grateful to you if you would help me out as i am spending a lot
> of time on understanding this.
>
> Please help me out.
>
> Thanks,
> vv
>
>
--
View this message in context: http://old.nabble.com/please-help-me-on-OCSP-tp643677p27790411.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Patrick Patterson
> Hi All,
>
> I just started working on OCSP...
or using it in some other way?
> And I am trying to set up an OCSP responder using the OpenSSL CLI commands.
> Right now, my index.txt file is blank and zero-size (created using the
> "touch" command).
>
You are aware of the warnings that are all over the CLI OCSP bits that say
"for testing only, do NOT use as a real production OCSP responder" - right? :)
> I want to know how to fill in revocation information into the index.txt
> file, and in what format? (so that I can get a "BAD" OCSP response for
> revoked certs).
>
Same as the format generated by the openssl ca command.
> Also, the zero-size index.txt file results in an "UNKNOWN" OCSP response
> all the time.
> What do I need to do so that my OCSP Responder returns a "GOOD" response
> for those certs NOT in the revoked list??
>
The OCSP responder MUST only respond "good" for certificates it absolutely
knows about - if it is uncertain of the status (i.e. that serial number does
not appear in the index.txt), then it MUST respond with unknown.
> My CRL is generated in *.pem X.509 format...How can I convert that into
> revocation info stored inside index.txt file??
>
Don't convert the CRL - you don't have enough information - use the index.txt
file from your CA directly. Keep in mind that for your responses to be
considered valid by just about all implementations out there, the OCSP
responder must either sign the responses with the CA's keys (bad idea, for a
number of good security reasons), or with a specific key and associated
certificate certified by the CA for the OCSP responder (with EKU OCSPSigning,
and preferably the ocsp-no-check extension defined to avoid chicken and egg
issues).
If you don't have the index.txt file from your CA, then you are either
probably not authorised to sign ocsp responses, so no matter what you do, a
proper client will fail; or in the case where your CA isn't an openssl one but
you ARE allowed to publish OCSP status, in which case you need to find a way
to export the internal database of certificates used by that CA, and translate
it to the format used by the openssl ca command.
A representative sample is below:
R 130110200751Z 100201142709Z,superseded 8E unknown /O=Example/CN=Foo
V 130119193554Z 8F unknown /O=Example/CN=Bar
Field 1: Status - R = Revoked, V=Valid
Field 2: Issued on(Valid start)
Field 3: Revoked on (with a comma value for the reason)
Field 4: Certificate Serial Number
Field 5: Unused - always "unknown"
Field 6: Subject DN of certificate
The file is tab delimited, if I am not mistaken.
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
Goku Zeus
https://propertyguardmasters.com/best-garage-storage-containers/