<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi, I am new to the list and have a question where it seems I
cannot find the answer in archives here or in other sources. <br>
</p>
<p>We want to verify the certificate chain of an "official"
certificate, but including the revocation status of the
intermediate certs, via CRL or OCSP. <br>
(The chain verification itself is easy and solved, our problems
lie just with getting the revocation status of an arbitrary
certificate).<br>
</p>
<p>It seems to turn out that a) this is seldom done completely
(otherwise I think there would be more "working recipes") and it
is not easy to do it in a generic way as we keep getting various
errors at different steps.</p>
<p>Wtihout making it too long, we want to do the following:<br>
a) retrieve and save certificate from server via URL<br>
b)retrieve and save certificate chain from server<br>
c) determine OCSP URL or CRL list URL<br>
d1) verify cert against OCSP source OR<br>
d2) download CRL; then verify cert against CRL</p>
<p>Up to c), everything is straightforward. We use openssl
1.0.1e-60.el7 from current CentOS 7. <br>
</p>
<p>When using OCSP, we keep getting spurious error messages from the
OCSP servers like "unauthorized" or "Bad request" when issuing an
openssl command like</p>
<pre>openssl ocspĀ -no_nonce -issuer certificate1_chain.pem -cert certificate1.pem -url <a class="moz-txt-link-freetext" href="http://ocsp2.globalsign.com/gsalphasha2g2">http://ocsp2.globalsign.com/gsalphasha2g2</a> -header "HOST" "ocsp2.globalsign.com/gsalphasha2g2" -resp_text
<i>Error querying OCSP responsder (SIC!!)</i><i>
</i><i>140058021447584:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=400,Reason=Bad Request</i>
</pre>
<pre>openssl ocsp -no_nonce -issuer certificate2_chain.pem -cert certificate2.pem -url <a class="moz-txt-link-freetext" href="http://ocsp.comodoca.com">http://ocsp.comodoca.com</a> -header "HOST" "ocsp.comodoca.com" -resp_text
<i>Responder Error: unauthorized (6)</i></pre>
(Note that this does not seem to be related to nonce requests or
missing host headers - thanks to Ivan Ristic and others these are
well-known problems...)<br>
Needless to say that using a browser you get a 200 response!<br>
<br>
When going the CRL way, we keep getting <br>
<pre>/usr/bin/openssl verify -crl_check_all -CAfile certificate1_chain_crl.pem certificate1.pem
<i>certificate1.pem: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority</i><i>
</i><i>error 2 at 2 depth lookup:unable to get issuer certificate</i><i>
</i><i>error 20 at 0 depth lookup:unable to get local issuer certificate</i></pre>
although the chain seems to be complete and we downloaded the CRL
from the CRL URL specified in the certificate. The depth 0 error can
probably be ignored as this is the root cert!?<br>
But the depth 2 cert is the final cert and all intermediates are
given, so why can the issuer certificate not be found?<br>
<br>
=> We are obviously doing things wrong or omitting something. <br>
Has anybody out there a working recipe how to do this for typical
certificate chains? <br>
<br>
Thank you for any hints, <br>
Jakob Curdes
</body>
</html>