Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does openca-ocspd support CA with multiple subCAs? #18

Open
pmutka opened this issue Aug 28, 2015 · 1 comment
Open

Does openca-ocspd support CA with multiple subCAs? #18

pmutka opened this issue Aug 28, 2015 · 1 comment

Comments

@pmutka
Copy link

pmutka commented Aug 28, 2015

I wonder if someone could help me?

I'm trying to set up an ocsp responder with a root CA and several sub CA:s for signing deployed certificates using openca-ocspd with the fedora core 22.

However I have not been successful, and it either seems to me that the responder can use only a single certificate in signing all the ocsp responses, or I do not know how to configure the software properly. As far as I have understood each CA (and subCA) should have their own certificate with EKU for OCSP signing, as stated in the RFC2560:

"All definitive response messages SHALL be digitally signed. The key
used to sign the response MUST belong to one of the following:

-- the CA who issued the certificate in question
-- a Trusted Responder whose public key is trusted by the requester
-- a CA Designated Responder (Authorized Responder) who holds a
specially marked certificate issued directly by the CA, indicating <----o
that the responder may issue OCSP responses for that CA"

The responder stubbornly sends the first configured ocsp certificate no matter what CA CRL is being used for verification. With failed deployed certificates (certificates signed by the subCAs) I get (because the OCSP signing certificate in the response is the root CA instead of subCA OCSP signing certificate):

Response Verify Failure
140689577682800:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:ocsp_vfy.c:152:

My question is: does the openca-ocspd software support multiple CA:s, or am I trying to do something that is not possible with the responder? If it does, how to configure it properly?

I have followed the configuration file at: http://svn.cacert.org/CAcert/SystemAdministration/ocsp/usr/local/etc/ocspd/ocspd.conf

The ocspd version is: ocspd.x86_64 1.9.0-5.fc22

Thanks a lot!
@a157634
Copy link
Contributor

a157634 commented Sep 11, 2015

Hi,

in the versions 1.9.x this is still not supported. Also in the current official versions does not support this.
But see this posts for further information:
http://sourceforge.net/p/openca/mailman/message/34452520/
http://sourceforge.net/p/openca/mailman/message/34431875/

Regards,
Ralf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@a157634 @pmutka