Response Verify Failure attempting to configure OCSP server.

Deft Developer dev at hymes.name
Fri Jan 15 19:06:42 UTC 2021 

I have openssl 1.0.2, on CentOS 7. I'm trying to configure and test ocsp
service.

This host, toberlone, is a certificate authority and signs local certificate
requests.

Questions:

1) Why do I get a "Response "Verify Failure" when testing?

2) How do I configure the CA+signer to serve ocsp requests?

3) How do I configure signature requests to use ocsp?

4) Am I using the openssh ocsp commands correctly?

 

I have the self-signed CA certificate in the file:

caCertfile="/etc/pki/CA/certs/toberlone_certificate_public_certificate-autho
rity_authenticate.crt"

 

This host also has a general server certificate, signed by the CA above, in
the file

serverCertfile="warehouse/certificates/toberlone_certificate_public_server_g
eneral.crt"

 

Working from the example on the ocsp man page, I try to check with

 

openssl ocsp -issuer "$caCertfile" -cert "$serverCertfile" -url
'http://localhost:8083 <http://localhost:8083/> '

 

but I get the error:

 

Response Verify Failure

139661258700688:error:27069065:OCSP routines:OCSP_basic_verify:certificate
verify error:ocsp_vfy.c:138:Verify error:unable to get local issuer
certificate

warehouse/certificates/toberlone_certificate_public_server_general.crt:
unknown

This Update: Jan 14 21:53:36 2021 GMT

 

I fear that I have not configured my CA and or signing requests for ocsp.
First, I'm uncertain where to locate the line

authorityInfoAccess = OCSP;URI:http:// <http://toblerone:8083/> toblerone
<http://toblerone:8083/> :808 <http://toblerone:8083/> 3
<http://toblerone:8083/> 

 

I put it in the "ca_extensions" section of the ca.conf, no openssl commands
report errors.

 

Some, not all, blogs say the ca.conf should have an ocsp section. Some say
it should be called "ocsp", others "v3_OCSP":

 

[ ocsp ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning

 

Other blogs say the ocsp section should be in the server_sig_request.conf
files that generate the signature requests. My server_sig_request.conf files
do not have any ocsp stuff in them. Should they include "OCSPSigning" or
some other mention of ocsp? 

 

If I insert ocsp sections into the ca or server_sig_request conf files, how
does that effect the command line for creating the self-signed CA cert,
and/or the command for the CA to sign the request? Specifically I wonder
about using the -extensions option, and using the -CAFile option when I try
a test connection to the ocsp server.

 

Finally, I'm uncertain about how the ocsp server uses relative v.s. absolute
paths. Does the current directory matter when starting the ocsp server? Does
it matter when attempting to test via the URI? 

 

I will post copies of the ca.conf and server_sig_request.conf, if requested.

 

Thanks!

 

Deft

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210115/4ad28370/attachment.html>

More information about the openssl-users mailing list