[openssl-users] Where to find the OCSP response signer cert if the OCSP response does not contain one?
M K Saravanan
mksarav at gmail.com
Wed Oct 28 03:56:45 UTC 2015
Hi,
If the OCSP responder does not send the response signer certificate in the
OCSP response, then how can we find the signer certificate?
I was doing a simple test to verify google certificate via OCSP like this:
$ openssl ocsp -issuer ./www.google.com.sg-issuer.cer -CAfile ./ca.cer
-cert ./www.google.com.sg.cer -url http://clients1.google.com/ocsp -header
Host clients1.google.com -no_nonce
Response Verify Failure
2283136:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate
not found:ocsp_vfy.c:91:
./www.google.com.sg.cer: good
This Update: Oct 27 14:35:13 2015 GMT
Next Update: Nov 3 14:35:13 2015 GMT
Upon checking the wireshark capture, I found the OCSP response does not
send signer cert, but only the responderID (byKey).
In such scenario, where do I find the OCSP response signer cert?
with regards,
Saravanan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151028/2ad4016a/attachment.html>
More information about the openssl-users
mailing list