sslcryptographyopensslcertificateocsp

OCSP unknown status when passing cert, good status when passing serial


Okay, so I have a multi-layered ca system that looks like this:

-ROOT_CA

----intermediate_CA

--------intermediate_CA2

------------client certs...

I have an OCSP responder set up on intermediate_CA2 that is started like so:

$ openssl ocsp -index intermedia_ca_2_index.txt -CA ca_crt_chain.crt -rsigner intermedia_ca_2.crt     -rkey intermedia_ca_2.key -port xxxx -text

On the client side, I make an ocsp request like so:

$ openssl ocsp -issuer ca_crt_chain.crt -CAfile ca_crt_chain.crt -cert client.crt -text -host localhost:xxxx -verify_other... -trust_other

Note that client.crt is just the client cert, not the entire chain, though I have tried both ways and neither work. It always returns

Response verify OK
client.crt: unknown

If I change -cert client.crt to -serial 0xXXXXXXXXX (Obviously passing in a valid serial that cooresponds to client.crt) then everything works with:

Response verify OK
0xXXXXXXXXX: good 

Oddly enough, if I examine the request in the first example, it is, indeed, sending the correct serial.

I can't for the life of me figure this out. Any ideas?


Solution

  • So the solution is that apparently openssl ocsp doesn't like chain files. So my server call looks like this now:

    $ openssl ocsp -index intermedia_ca_2_index.txt -CA intermediate_ca_2.crt -rsigner intermedia_ca_2.crt -rkey intermedia_ca_2.key -port xxxx -text
    

    Note that it would be more preferable to have an entirely seperate key pair for signing, but w/e.

    The client connection would then look like so:

    $ openssl ocsp -issuer intermediate_ca_2.crt -CApath /path/to/trust/store -cert client.crt -text -url http://localhost:xxxx