[openssl-users] Question RE certificate chain verification

Jakob Curdes j.curdes at overspeed.de
Tue Feb 21 11:16:53 UTC 2017 

Hi, I am new to the list and have a question where it seems I cannot find the answer in archives here or in other sources.

We want to verify the certificate chain of an "official" certificate, but including the revocation status of the intermediate certs, via CRL or OCSP.
(The chain verification itself is easy and solved, our problems lie just with getting the revocation status of an arbitrary certificate).

It seems to turn out that a) this is seldom done completely (otherwise I think there would be more "working recipes") and it is not easy to do it in a generic way as we keep getting various errors at different steps.

Wtihout making it too long, we want to do the following:
a) retrieve and save certificate from server via URL
b)retrieve and save certificate chain from server
c) determine OCSP URL or CRL list URL
d1) verify cert against OCSP source OR
d2) download CRL; then verify cert against CRL

Up to c), everything is straightforward. We use openssl 1.0.1e-60.el7 from current CentOS 7.

When using OCSP, we keep getting spurious error messages from the OCSP servers like "unauthorized" or "Bad request" when issuing an openssl command like

openssl ocsp  -no_nonce -issuer certificate1_chain.pem -cert certificate1.pem -url http://ocsp2.globalsign.com/gsalphasha2g2 -header "HOST" "ocsp2.globalsign.com/gsalphasha2g2" -resp_text
/Error querying OCSP responsder (SIC!!)////140058021447584:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=400,Reason=Bad Request/

openssl ocsp -no_nonce -issuer certificate2_chain.pem -cert certificate2.pem -url http://ocsp.comodoca.com -header "HOST" "ocsp.comodoca.com" -resp_text
/Responder Error: unauthorized (6)/

(Note that this does not seem to be related to nonce requests or missing host headers - thanks to Ivan Ristic and others these are well-known problems...)
Needless to say that using a browser you get a 200 response!

When going the CRL way, we keep getting

/usr/bin/openssl verify -crl_check_all -CAfile certificate1_chain_crl.pem certificate1.pem
/certificate1.pem: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority////error 2 at 2 depth lookup:unable to get issuer certificate////error 20 at 0 depth lookup:unable to get local issuer certificate/

although the chain seems to be complete and we downloaded the CRL from the CRL URL specified in the certificate. The depth 0 error can probably be ignored as this is the root cert!?
But the depth 2 cert is the final cert and all intermediates are given, so why can the issuer certificate not be found?

=> We are obviously doing things wrong or omitting something.
Has anybody out there a working recipe how to do this for typical certificate chains?

Thank you for any hints,
Jakob Curdes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170221/9757ec66/attachment.html>

More information about the openssl-users mailing list