OCSP unknown status when passing cert, good status when passing serial
-
20-12-2019 - |
Question
Okay, so I have a multi-layered ca system that looks like this:
-ROOT_CA
----intermediate_CA
--------intermediate_CA2
------------client certs...
I have an OCSP responder set up on intermediate_CA2 that is started like so:
$ openssl ocsp -index intermedia_ca_2_index.txt -CA ca_crt_chain.crt -rsigner intermedia_ca_2.crt -rkey intermedia_ca_2.key -port xxxx -text
On the client side, I make an ocsp request like so:
$ openssl ocsp -issuer ca_crt_chain.crt -CAfile ca_crt_chain.crt -cert client.crt -text -host localhost:xxxx -verify_other... -trust_other
Note that client.crt is just the client cert, not the entire chain, though I have tried both ways and neither work. It always returns
Response verify OK
client.crt: unknown
If I change -cert client.crt
to -serial 0xXXXXXXXXX
(Obviously passing in a valid serial that cooresponds to client.crt) then everything works with:
Response verify OK
0xXXXXXXXXX: good
Oddly enough, if I examine the request in the first example, it is, indeed, sending the correct serial.
I can't for the life of me figure this out. Any ideas?
Solution
So the solution is that apparently openssl ocsp doesn't like chain files. So my server call looks like this now:
$ openssl ocsp -index intermedia_ca_2_index.txt -CA intermediate_ca_2.crt -rsigner intermedia_ca_2.crt -rkey intermedia_ca_2.key -port xxxx -text
Note that it would be more preferable to have an entirely seperate key pair for signing, but w/e.
The client connection would then look like so:
$ openssl ocsp -issuer intermediate_ca_2.crt -CApath /path/to/trust/store -cert client.crt -text -url http://localhost:xxxx