<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
line-height:normal;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
margin-bottom:.1in;
margin-left:0in;
line-height:115%;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>I have openssl 1.0.2, on CentOS 7. I'm trying to configure and test ocsp service.<o:p></o:p></p><p class=MsoNormal>This host, toberlone, is a certificate authority and signs local certificate requests.<o:p></o:p></p><p class=MsoNormal>Questions:<o:p></o:p></p><p class=MsoNormal>1) Why do I get a "Response "Verify Failure" when testing?<o:p></o:p></p><p class=MsoNormal>2) How do I configure the CA+signer to serve ocsp requests?<o:p></o:p></p><p class=MsoNormal>3) How do I configure signature requests to use ocsp?<o:p></o:p></p><p class=MsoNormal>4) Am I using the openssh ocsp commands correctly?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I have the self-signed CA certificate in the file:<o:p></o:p></p><p class=MsoNormal>caCertfile="/etc/pki/CA/certs/toberlone_certificate_public_certificate-authority_authenticate.crt"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This host also has a general server certificate, signed by the CA above, in the file<o:p></o:p></p><p class=MsoNormal>serverCertfile="warehouse/certificates/toberlone_certificate_public_server_general.crt"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Working from the example on the ocsp man page, I try to check with<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>openssl ocsp -issuer "$caCertfile" -cert "$serverCertfile" -url '<a href="http://localhost:8083/">http://localhost:8083</a>'<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>but I get the error:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Response Verify Failure<o:p></o:p></p><p class=MsoNormal>139661258700688:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:138:Verify error:unable to get local issuer certificate<o:p></o:p></p><p class=MsoNormal>warehouse/certificates/toberlone_certificate_public_server_general.crt: unknown<o:p></o:p></p><p class=MsoNormal>This Update: Jan 14 21:53:36 2021 GMT<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I fear that I have not configured my CA and or signing requests for ocsp. First, I'm uncertain where to locate the line<o:p></o:p></p><p class=MsoNormal>authorityInfoAccess = OCSP;URI:<a href="http://toblerone:8083/">http://</a><a href="http://toblerone:8083/">toblerone</a><a href="http://toblerone:8083/">:808</a><a href="http://toblerone:8083/">3</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I put it in the "ca_extensions" section of the ca.conf, no openssl commands report errors.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Some, not all, blogs say the ca.conf should have an ocsp section. Some say it should be called "ocsp", others "v3_OCSP":<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>[ ocsp ]<br>basicConstraints = CA:FALSE<br>keyUsage = nonRepudiation, digitalSignature, keyEncipherment<br>extendedKeyUsage = OCSPSigning<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Other blogs say the ocsp section should be in the server_sig_request.conf files that generate the signature requests. My server_sig_request.conf files do not have any ocsp stuff in them. Should they include "OCSPSigning" or some other mention of ocsp? <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If I insert ocsp sections into the ca or server_sig_request conf files, how does that effect the command line for creating the self-signed CA cert, and/or the command for the CA to sign the request? Specifically I wonder about using the -extensions option, and using the -CAFile option when I try a test connection to the ocsp server.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Finally, I'm uncertain about how the ocsp server uses relative v.s. absolute paths. Does the current directory matter when starting the ocsp server? Does it matter when attempting to test via the URI? <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I will post copies of the ca.conf and server_sig_request.conf, if requested.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Deft<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>