[openssl-users] Problem checking certificate with OCSP

Walter H. Walter.H at mathemainzel.info
Thu Oct 15 13:49:06 UTC 2015 

On 5.10.2015 17:11, Dr. Stephen Henson wrote:
> On Mon, Oct 05, 2015, Walter H. wrote:
>
>> Hello,
>>
>> attached is the certificate and its chain of  https://revoked.grc.com/
>>
>> doing this:
>>
>> openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url
>> http://ocsp2.globalsign.com/gsdomainvalg2
>>
>> goves the following:
>>
>> OCSP Request Data:
>>      Version: 1 (0x0)
>>      Requestor List:
>>          Certificate ID:
>>            Hash Algorithm: sha1
>>            Issuer Name Hash: 45658DA20174402FF48B3A6AC0BC69208095C7CA
>>            Issuer Key Hash: 96ADFAB05BB983642A76C21C8A69DA42DCFEFD28
>>            Serial Number: 112155688D380775DA34C5DF97433ED3F6A7
>> Error querying OCSP responsder
>> 139928584042312:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response
>> error:ocsp_ht.c:250:Code=403,Reason=Forbidden
>>
>> where is the problem for this strange error?
>>
> Some OCSP responders need the host header, try adding:
>
> 	 -header Host ocsp2.globalsign.com
Thanks for this hint;

When doing this

openssl ocsp -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -no_nonce -issuer issuer.pem -cert cert.pem -text -url http://ocsp2.globalsign.com/gsdomainvalg2 -header Host ocsp2.globalsign.com

ca-bundle.trust.crt is the certstore of my centos
issuer.pem is the intermediate certificate, used signing cert.pem
cert.pem is the certificate that should be checked

then I get this error:

Response Verify Failure
139966083565384:error:27069065:OCSP 
routines:OCSP_basic_verify:certificate verify 
error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate
srvr.pem: revoked
         This Update: Oct 13 07:20:48 2015 GMT
         Next Update: Oct 16 07:20:48 2015 GMT
         Reason: unspecified
         Revocation Time: Apr 23 15:44:10 2014 GMT

when I use use chain.pem (contains both the intermediate and the root 
certificate) as -CAfile
then it works;

I want to do the following:

I get the server certificate and the chain except of the root;
and then I want to verify with this, if the certificate is valid, 
revoked or has expired

so I have 3 files

cert.pem   the certificate itself
issuer.pem  the intermediate that was used signing the certificate
chain.pem any certificate of the chain except the certificate itself and 
the root
the following script should do the job ...

#!/bin/sh
CAFILE=/etc/pki/tls/certs/ca-bundle.trust.crt
CERT=srvr.pem
ISSUER=issuer.pem

OCSPURL=$(openssl x509 -in $CERT -noout -ocsp_uri)
OCSPHOST=$(echo "$OCSPURL" |gawk -F\/ '{ print $3 }' -)

openssl ocsp -CAfile $CAFILE -no_nonce -issuer $ISSUER -cert $CERT -url 
"$OCSPURL" -header Host $OCSPHOST

but failes with

139966083565384:error:27069065:OCSP 
routines:OCSP_basic_verify:certificate verify 
error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate

why?

it can't be the solution to generate a new "cert store" (the concat of 
chain.pem and the real cert store) for each certificate I want to verify ...

Thanks,
Walter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151015/e187ef7d/attachment.bin>

More information about the openssl-users mailing list