I'am developping my own
First I just want to send an
OCSP request with
openssl to my responder and receive a correct answer.
I have a CA certificate
CA.crt and his son
RC.crt. I want to check status certificate of
My responder sign the response with it's own self signed certificate (OCSPSigning key usage...) caOcsp.pem. (In RFC2560 it is written "The key used to sign the response must belong to one of the following... A trusted Responder whose public key is trusted by the requester ...
So I just do :
openssl ocsp -issuer CA.crt -CAfile ..\caOcsp.pem -VAfile ..\caOcsp.pem -cert RC.crt -req_text -url http://localhost:8080/myServlet
In openssl documentation :
-CAfile file containing trusted certificate there are **used to verify the signature on the ocsp response** (That's why I put my ocsp certificate) -VAfile file **containing explicitly trusted responder certificate** (That's why I put my ocsp certificate too...) and I got the following response : OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 19266539D5B4B518D4382B2D3779CBF53A6061D6 Issuer Key Hash: 89B91685082EF65F5611F965E94422D602BE27DB Serial Number: 0A Request Extensions: OCSP Nonce: 0410A75FEC94E252E5BDCA3FDABEEEC56CD7 ***Response Verify Failure 7744:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:.\crypto\ocsp\ocsp_vfy.c:85:*** RC.crt: good This Update: May 13 08:40:52 2014 GMT
What have I fogotten ? What is wrong ?