Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
OCSP_basic_verify error: root ca not trusted
1,170 views
Skip to first unread message
Vladimir Belov
Jun 15, 2012, 3:29:14 PM6/15/12
to
Hello.
I could connect to OpenSSL OCSP responder only by IPv6. But I have another error:
3908:error:2706A067:OCSP routines:OCSP_CHECK_DELEGATED:missing ocspsigning usage:.\crypto\ocsp\ocsp_vfy.c:350:
3908:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:.\crypto\ocsp\ocsp_vfy.c:148:
I made and adjusted the simple test Certification Authority.
I have a root CA and three certs issued and certainly signed by the root CA: 01.crt, 02.crt, 03.crt. Now I want to test
OpenSSL OCSP responder. I will test 01.crt for the revocation status and use 03.crt cert as the OCSP responder's
certificate. I added OCSPSigning extended key usage to the 03.crt:
openssl x509 -in 03.crt -inform PEM -addtrust OCSPSigning -out ocsp_resp_cert.pem
I start OpenSSL OCSP responder:
openssl ocsp -index index.txt -port 7777 -rkey cert3_pkey.pem -rsigner ocsp_resp_cert.pem -CA cacert.crt -text
After that I try to verify 01.crt via OCSP and I get the above error.
If I would use the root CA as the OCSP responder's cert all is ok: OCSP_basic_verify not failed and I get OCSP status
"GOOD".
I see docs on openssl.org: ocsp(1) section OCSP "Response verification":
1) "Otherwise the issuing CA certificate in the request is compared to the OCSP responder certificate: if there is a
match then the OCSP verify succeeds."
This rule works. This case is when certificate of the OCSP responder is a root CA.
2) "Otherwise the OCSP responder certificate's CA is checked against the issuing CA certificate in the request. If there
is a match and the OCSPSigning extended key usage is present in the OCSP responder certificate then the OCSP verify
succeeds.
This rule doesn't work or I don't understand it or I made something wrong.
Please, say what am I do wrong?
Regards,
Vladimir.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
I could connect to OpenSSL OCSP responder only by IPv6. But I have another error:
3908:error:2706A067:OCSP routines:OCSP_CHECK_DELEGATED:missing ocspsigning usage:.\crypto\ocsp\ocsp_vfy.c:350:
3908:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:.\crypto\ocsp\ocsp_vfy.c:148:
I made and adjusted the simple test Certification Authority.
I have a root CA and three certs issued and certainly signed by the root CA: 01.crt, 02.crt, 03.crt. Now I want to test
OpenSSL OCSP responder. I will test 01.crt for the revocation status and use 03.crt cert as the OCSP responder's
certificate. I added OCSPSigning extended key usage to the 03.crt:
openssl x509 -in 03.crt -inform PEM -addtrust OCSPSigning -out ocsp_resp_cert.pem
I start OpenSSL OCSP responder:
openssl ocsp -index index.txt -port 7777 -rkey cert3_pkey.pem -rsigner ocsp_resp_cert.pem -CA cacert.crt -text
After that I try to verify 01.crt via OCSP and I get the above error.
If I would use the root CA as the OCSP responder's cert all is ok: OCSP_basic_verify not failed and I get OCSP status
"GOOD".
I see docs on openssl.org: ocsp(1) section OCSP "Response verification":
1) "Otherwise the issuing CA certificate in the request is compared to the OCSP responder certificate: if there is a
match then the OCSP verify succeeds."
This rule works. This case is when certificate of the OCSP responder is a root CA.
2) "Otherwise the OCSP responder certificate's CA is checked against the issuing CA certificate in the request. If there
is a match and the OCSPSigning extended key usage is present in the OCSP responder certificate then the OCSP verify
succeeds.
This rule doesn't work or I don't understand it or I made something wrong.
Please, say what am I do wrong?
Regards,
Vladimir.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Vladimir Belov
Jun 15, 2012, 4:45:12 PM6/15/12
to
I made an error. I didn't actually add OCSPSigning extended key usage to the OCSP responder cert.
My attempt(which I found at the mailing list archive) was bad:
To add OCSPSigning extended key usage to the OCSP responder cert we must use "-extension" option during signing
certificate request.
OCSP verification works now. The problem is closed.
My attempt(which I found at the mailing list archive) was bad:
openssl x509 -in 03.crt -inform PEM -addtrust OCSPSigning -out ocsp_resp_cert.pem
"-addtrust" is another command for another purposes.
To add OCSPSigning extended key usage to the OCSP responder cert we must use "-extension" option during signing
certificate request.
OCSP verification works now. The problem is closed.
0 new messages