You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to set up an ocsp responder with a root CA and several sub CA:s for signing deployed certificates using openca-ocspd with the fedora core 22.
However I have not been successful, and it either seems to me that the responder can use only a single certificate in signing all the ocsp responses, or I do not know how to configure the software properly. As far as I have understood each CA (and subCA) should have their own certificate with EKU for OCSP signing, as stated in the RFC2560:
"All definitive response messages SHALL be digitally signed. The key
used to sign the response MUST belong to one of the following:
-- the CA who issued the certificate in question
-- a Trusted Responder whose public key is trusted by the requester
-- a CA Designated Responder (Authorized Responder) who holds a
specially marked certificate issued directly by the CA, indicating <----o
that the responder may issue OCSP responses for that CA"
The responder stubbornly sends the first configured ocsp certificate no matter what CA CRL is being used for verification. With failed deployed certificates (certificates signed by the subCAs) I get (because the OCSP signing certificate in the response is the root CA instead of subCA OCSP signing certificate):
Response Verify Failure
140689577682800:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:ocsp_vfy.c:152:
My question is: does the openca-ocspd software support multiple CA:s, or am I trying to do something that is not possible with the responder? If it does, how to configure it properly?
I wonder if someone could help me?
I'm trying to set up an ocsp responder with a root CA and several sub CA:s for signing deployed certificates using openca-ocspd with the fedora core 22.
However I have not been successful, and it either seems to me that the responder can use only a single certificate in signing all the ocsp responses, or I do not know how to configure the software properly. As far as I have understood each CA (and subCA) should have their own certificate with EKU for OCSP signing, as stated in the RFC2560:
"All definitive response messages SHALL be digitally signed. The key
used to sign the response MUST belong to one of the following:
-- the CA who issued the certificate in question
-- a Trusted Responder whose public key is trusted by the requester
-- a CA Designated Responder (Authorized Responder) who holds a
specially marked certificate issued directly by the CA, indicating <----o
that the responder may issue OCSP responses for that CA"
The responder stubbornly sends the first configured ocsp certificate no matter what CA CRL is being used for verification. With failed deployed certificates (certificates signed by the subCAs) I get (because the OCSP signing certificate in the response is the root CA instead of subCA OCSP signing certificate):
Response Verify Failure
140689577682800:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:ocsp_vfy.c:152:
My question is: does the openca-ocspd software support multiple CA:s, or am I trying to do something that is not possible with the responder? If it does, how to configure it properly?
I have followed the configuration file at: http://svn.cacert.org/CAcert/SystemAdministration/ocsp/usr/local/etc/ocspd/ocspd.conf
The ocspd version is: ocspd.x86_64 1.9.0-5.fc22
Thanks a lot!
The text was updated successfully, but these errors were encountered: