Response Verify Failure attempting to configure OCSP server.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Response Verify Failure attempting to configure OCSP server.

Deft Developer

I have openssl 1.0.2, on CentOS 7. I'm trying to configure and test ocsp service.

This host, toberlone, is a certificate authority and signs local certificate requests.

Questions:

1) Why do I get a "Response "Verify Failure" when testing?

2) How do I configure the CA+signer to serve ocsp requests?

3) How do I configure signature requests to use ocsp?

4) Am I using the openssh ocsp commands correctly?

 

I have the self-signed CA certificate in the file:

caCertfile="/etc/pki/CA/certs/toberlone_certificate_public_certificate-authority_authenticate.crt"

 

This host also has a general server certificate, signed by the CA above, in the file

serverCertfile="warehouse/certificates/toberlone_certificate_public_server_general.crt"

 

Working from the example on the ocsp man page, I try to check with

 

openssl ocsp -issuer "$caCertfile" -cert "$serverCertfile" -url 'http://localhost:8083'

 

but I get the error:

 

Response Verify Failure

139661258700688:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:138:Verify error:unable to get local issuer certificate

warehouse/certificates/toberlone_certificate_public_server_general.crt: unknown

This Update: Jan 14 21:53:36 2021 GMT

 

I fear that I have not configured my CA and or signing requests for ocsp. First, I'm uncertain where to locate the line

authorityInfoAccess = OCSP;URI:http://toblerone:8083

 

I put it in the "ca_extensions" section of the ca.conf, no openssl commands report errors.

 

Some, not all, blogs say the ca.conf should have an ocsp section. Some say it should be called "ocsp", others "v3_OCSP":

 

[ ocsp ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning

 

Other blogs say the ocsp section should be in the server_sig_request.conf files that generate the signature requests. My server_sig_request.conf files do not have any ocsp stuff in them. Should they include "OCSPSigning" or some other mention of ocsp?

 

If I insert ocsp sections into the ca or server_sig_request conf files, how does that effect the command line for creating the self-signed CA cert, and/or the command for the CA to sign the request? Specifically I wonder about using the -extensions option, and using the -CAFile option when I try a test connection to the ocsp server.

 

Finally, I'm uncertain about how the ocsp server uses relative v.s. absolute paths. Does the current directory matter when starting the ocsp server? Does it matter when attempting to test via the URI?

 

I will post copies of the ca.conf and server_sig_request.conf, if requested.

 

Thanks!

 

Deft