In my server application I built my OCSPRespBuilder with the right certificate but my responderID used to create this OCSPRespBuilder was wrong.
Now It works.
質問
I'am developing my own OCSP
responder.
First, I just want to send an OCSP
request with openssl
to my responder and receive a correct answer.
I have a CA certificate CA.crt
and its son RC.crt
. I want to check status certificate of RC.crt
.
My responder signs the response with its own self-signed certificate (OCSPSigning key usage...) caOcsp.pem. (In RFC2560 it is written "The key used to sign the response must belong to one of the following... A trusted Responder whose public key is trusted by the requester ...
So I just do :
openssl ocsp -issuer CA.crt -CAfile ..\caOcsp.pem -VAfile ..\caOcsp.pem -cert RC.crt -req_text -url http://localhost:8080/myServlet
In openssl documentation :
-CAfile file containing trusted certificate there are **used to verify the signature on the ocsp response** (That's why I put my ocsp certificate)
-VAfile file **containing explicitly trusted responder certificate** (That's why I put my ocsp certificate too...)
and I got the following response :
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 19266539D5B4B518D4382B2D3779CBF53A6061D6
Issuer Key Hash: 89B91685082EF65F5611F965E94422D602BE27DB
Serial Number: 0A
Request Extensions:
OCSP Nonce:
0410A75FEC94E252E5BDCA3FDABEEEC56CD7
***Response Verify Failure
7744:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:.\crypto\ocsp\ocsp_vfy.c:85:***
RC.crt: good
This Update: May 13 08:40:52 2014 GMT
What have I forgotten? What is wrong?
解決
In my server application I built my OCSPRespBuilder with the right certificate but my responderID used to create this OCSPRespBuilder was wrong.
Now It works.