Question RE certificate chain verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi, I am new to the list and have a question where it seems I cannot find the answer in archives here or in other sources.

We want to verify the certificate chain of an "official" certificate, but including the revocation status of the intermediate certs, via CRL or OCSP.
(The chain verification itself is easy and solved, our problems lie just with getting the revocation status of an arbitrary certificate).

It seems to turn out that a) this is seldom done completely (otherwise I think there would be more "working recipes") and it is not easy to do it in a generic way as we keep getting various errors at different steps.

Wtihout making it too long, we want to do the following:
a) retrieve and save certificate from server via URL
b)retrieve and save certificate chain from server
c) determine OCSP URL or CRL list URL
d1) verify cert against OCSP source OR
d2) download CRL; then verify cert against CRL

Up to c), everything is straightforward. We use openssl 1.0.1e-60.el7 from current CentOS 7.

When using OCSP, we keep getting spurious error messages from the OCSP servers like "unauthorized" or "Bad request" when issuing an openssl command like

openssl ocsp  -no_nonce -issuer certificate1_chain.pem -cert certificate1.pem -url http://ocsp2.globalsign.com/gsalphasha2g2 -header "HOST" "ocsp2.globalsign.com/gsalphasha2g2" -resp_text
Error querying OCSP responsder (SIC!!)
140058021447584:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=400,Reason=Bad Request

openssl ocsp -no_nonce -issuer certificate2_chain.pem -cert certificate2.pem -url http://ocsp.comodoca.com -header "HOST" "ocsp.comodoca.com" -resp_text
Responder Error: unauthorized (6)
(Note that this does not seem to be related to nonce requests or missing host headers - thanks to Ivan Ristic and others these are well-known problems...)
Needless to say that using a browser you get a 200 response!

When going the CRL way, we keep getting 
/usr/bin/openssl verify -crl_check_all -CAfile certificate1_chain_crl.pem certificate1.pem
certificate1.pem: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
error 2 at 2 depth lookup:unable to get issuer certificate
error 20 at 0 depth lookup:unable to get local issuer certificate
although the chain seems to be complete and we downloaded the CRL from the CRL URL specified in the certificate. The depth 0 error can probably be ignored as this is the root cert!?
But the depth 2 cert is the final cert and all intermediates are given, so why can the issuer certificate not be found?

=> We are obviously doing things wrong or omitting something.
Has anybody out there a working recipe how to do this for typical certificate chains?

Thank you for any hints,
Jakob Curdes 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux