[openssl-users] OCSP service dependant on time valid CRLs

Walter H. Walter.H at mathemainzel.info
Thu Dec 10 16:35:25 UTC 2015


Hi Dan,

On 10.12.2015 16:27, daniel bryan wrote:
> *TEST #2: *Next test was using OCSP:
>
> [dan at canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem -VAfile 
> VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer -cert 
> CERTS/0x500c8bd-revoked.pem -url http://ocspresponder:8080
>
> /Response verify OK
> CERTS/0x500c8bd-revoked.pem: *unknown*
> This Update: Dec 9 20:48:26 2015 GMT/
>
> as you can see the client *was NOT *informed the certificate was revoked.
and also that it is not good -> unknown, revoked and good are the 3 
values ...
>
> We are using a 3rd party vendors OCSP service, and I am of the opinion 
> that an OCSP service should provide a revoked response regardless of 
> the time validity of the CRL.
does the OCSP responder cert be the signing cert itself or was it signed 
by the same signing cert that signed the cert you want to validate?

or specific to your sample: did CAS/IC\ ABC\ CA3\ DEV.cer sign both 
CERTS/0x500c8bd-revoked.pem and the OCSP responder cert (VAS/def_ocsp.pem)?
>
Walter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151210/8e208921/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151210/8e208921/attachment.bin>


More information about the openssl-users mailing list