Re: full-chain ocsp stapling

Jeremy Harris <jgh@xxxxxxxxxxx> · Tue, 1 Oct 2019 12:21:21 +0100

On 30/09/2019 17:02, Matt Caswell wrote:
>> Alternatively^2, is there some way to get such a blob from a tool 
>> (openssl ocsp, or similar) ready built?   For this purpose, I am 
>> the CA.
>> 
> 
> Yes, you can do this. For example see the "respout" option in the 
> ocsp command.
> 
> From the examples in the ocsp man page:
> 
> Send a query to an OCSP responder with URL http://ocsp.myhost.com/ 
> save the response to a file, print it out in text form, and verify 
> the response:
> 
> openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ -url 
> http://ocsp.myhost.com/ -resp_text -respout resp.der

I'm using the indexfile variant.  It seems that the -CA argument
needs to be the signer of the cert, not the CA for the chain; and
you cannot give -CA multiple times.  So you don't get good OCSP status
for all elements in the chain:

$ cat $ifile
V       130110200751Z           65      unknown CN=server1.example.com
V       130110200751Z           66      unknown CN=revoked1.example.com
V       130110200751Z           67      unknown CN=expired1.example.com
V       130110200751Z           c9      unknown CN=server2.example.com
V       130110200751Z           ca      unknown CN=revoked2.example.com
V       130110200751Z           cb      unknown CN=expired2.example.com
V       130110200751Z           42      unknown CN=clica Signing Cert rsa
V       130110200751Z           41      unknown CN=clica CA rsa
$
$ openssl ocsp -sha256 -no_nonce -issuer $CADIR/Signer.pem -cert
$leafcert -issuer $CADIR/CA.pem -cert $CADIR/Signer.pem -cert
$CADIR/CA.pem -reqout $REQ -req_text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha256
          Issuer Name Hash:
5AF082E51D62FE01FD706BAEBEB878DB64E68F76E74A36F36D914297DDEE24B8
          Issuer Key Hash:
333DB14364B98E78A33DD8A4FAE8D8378EA9B0F5FBCA97B25685AA0D32116091
          Serial Number: 65
        Certificate ID:
          Hash Algorithm: sha256
          Issuer Name Hash:
BFA7275A566EFD4BE2DF82DBD9D1290D470186F6FF2ACD8C16659F342AB56109
          Issuer Key Hash:
208F9D28C7C0BC914144DFA8C0BE3D5B3BFCEBB622C8A8DC27E865FC06CA0E12
          Serial Number: 42
        Certificate ID:
          Hash Algorithm: sha256
          Issuer Name Hash:
BFA7275A566EFD4BE2DF82DBD9D1290D470186F6FF2ACD8C16659F342AB56109
          Issuer Key Hash:
208F9D28C7C0BC914144DFA8C0BE3D5B3BFCEBB622C8A8DC27E865FC06CA0E12
          Serial Number: 41
$
$ openssl ocsp -index $ifile -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key
-CA $CADIR/CA.pem -resp_no_certs -noverify         -ndays 3652 -reqin
$REQ -respout $RESP -resp_text | egrep '(Serial|Status)'
    OCSP Response Status: successful (0x0)
      Serial Number: 65
    Cert Status: unknown
      Serial Number: 42
    Cert Status: good
      Serial Number: 41
    Cert Status: good
$

-- 
Cheers,
  Jeremy