[openssl-users] Problem with OSCP Server Response
Dr. Stephen Henson
steve at openssl.org
Sat Apr 23 03:39:26 UTC 2016
On Thu, Apr 21, 2016, Juan Sebasti?n C?rdenas Arenas wrote:
> Good Morning
> My name is Juan Sebastian Cardenas, I'm a Systems engineer from Colombia
> I am implementing an internal PKI for the organization where I work using openssl
> The idea is to generate certificates and digital signatures to members of the organization so that they can sign documents of the office suite and eliminate the use of paper
> I have success in creating the keys and certificates from a ca root and an intermediary, I am using the intermediary to sign certificates of users and the server OCSP
> When creating user certificates I am defining the URI of OCSP server so that it can verify the validity of the certificate
> And finally I am exporting user certificates to a pkcs12 format (.p12) to install the certificate and key user on the user's computer
> After installing the pkcs12 key on user's computer, I can use the programs of the office suite (word, excel, power point, etc..) to sign documents using the installed digital signature, however, only makes the connection to the OCSP server once and then no longer allow any verification or validation.
> In reviewing the response from the OCSP server:
> Invalid request
> Reply Error: malformedRequest (1)
> And then in the Office program, I can´t use the digital signature to sign documents anymore, and present the message the selected certificate can not be verified. Check the network connection (as had already been able to connect the first time)
> Ask them please guide me regarding this specific error check with the OCSP server response.
Are you using the OpenSSL "ocsp" utility as a server? That is only intended
for test and debugging use. For example it is inefficient and can only handle
single requests at one time.
It isn't clear from your message what the cause is. It is possible that the
requests are using GET format which the ocsp utility doesn't support.
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users