On 5.10.2015 17:11, Dr. Stephen Henson wrote: > On Mon, Oct 05, 2015, Walter H. wrote: > >> Hello, >> >> attached is the certificate and its chain of https://revoked.grc.com/ >> >> doing this: >> >> openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url >> http://ocsp2.globalsign.com/gsdomainvalg2 >> >> goves the following: >> >> OCSP Request Data: >> Version: 1 (0x0) >> Requestor List: >> Certificate ID: >> Hash Algorithm: sha1 >> Issuer Name Hash: 45658DA20174402FF48B3A6AC0BC69208095C7CA >> Issuer Key Hash: 96ADFAB05BB983642A76C21C8A69DA42DCFEFD28 >> Serial Number: 112155688D380775DA34C5DF97433ED3F6A7 >> Error querying OCSP responsder >> 139928584042312:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response >> error:ocsp_ht.c:250:Code=403,Reason=Forbidden >> >> where is the problem for this strange error? >> > Some OCSP responders need the host header, try adding: > > -header Host ocsp2.globalsign.com Thanks for this hint; When doing this openssl ocsp -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -no_nonce -issuer issuer.pem -cert cert.pem -text -url http://ocsp2.globalsign.com/gsdomainvalg2 -header Host ocsp2.globalsign.com ca-bundle.trust.crt is the certstore of my centos issuer.pem is the intermediate certificate, used signing cert.pem cert.pem is the certificate that should be checked then I get this error: Response Verify Failure 139966083565384:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate srvr.pem: revoked This Update: Oct 13 07:20:48 2015 GMT Next Update: Oct 16 07:20:48 2015 GMT Reason: unspecified Revocation Time: Apr 23 15:44:10 2014 GMT when I use use chain.pem (contains both the intermediate and the root certificate) as -CAfile then it works; I want to do the following: I get the server certificate and the chain except of the root; and then I want to verify with this, if the certificate is valid, revoked or has expired so I have 3 files cert.pem the certificate itself issuer.pem the intermediate that was used signing the certificate chain.pem any certificate of the chain except the certificate itself and the root the following script should do the job ... #!/bin/sh CAFILE=/etc/pki/tls/certs/ca-bundle.trust.crt CERT=srvr.pem ISSUER=issuer.pem OCSPURL=$(openssl x509 -in $CERT -noout -ocsp_uri) OCSPHOST=$(echo "$OCSPURL" |gawk -F\/ '{ print $3 }' -) openssl ocsp -CAfile $CAFILE -no_nonce -issuer $ISSUER -cert $CERT -url "$OCSPURL" -header Host $OCSPHOST but failes with 139966083565384:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate why? it can't be the solution to generate a new "cert store" (the concat of chain.pem and the real cert store) for each certificate I want to verify ... Thanks, Walter -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4312 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151015/e187ef7d/attachment.bin>
