Re: full-chain ocsp stapling

Jeremy Harris <jgh@xxxxxxxxxxx> · Wed, 9 Oct 2019 15:49:46 +0100

On 01/10/2019 12:21, Jeremy Harris wrote:
> On 30/09/2019 17:02, Matt Caswell wrote:
>>> Alternatively^2, is there some way to get such a blob from a tool 
>>> (openssl ocsp, or similar) ready built?   For this purpose, I am 
>>> the CA.
>>>
>>
>> Yes, you can do this. For example see the "respout" option in the 
>> ocsp command.
>>
>> From the examples in the ocsp man page:
>>
>> Send a query to an OCSP responder with URL http://ocsp.myhost.com/ 
>> save the response to a file, print it out in text form, and verify 
>> the response:
>>
>> openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ -url 
>> http://ocsp.myhost.com/ -resp_text -respout resp.der
> 
> I'm using the indexfile variant.  It seems that the -CA argument
> needs to be the signer of the cert, not the CA for the chain; and
> you cannot give -CA multiple times.  So you don't get good OCSP status
> for all elements in the chain:
> 
> $ cat $ifile
> V       130110200751Z           65      unknown CN=server1.example.com
> V       130110200751Z           66      unknown CN=revoked1.example.com
> V       130110200751Z           67      unknown CN=expired1.example.com
> V       130110200751Z           c9      unknown CN=server2.example.com
> V       130110200751Z           ca      unknown CN=revoked2.example.com
> V       130110200751Z           cb      unknown CN=expired2.example.com
> V       130110200751Z           42      unknown CN=clica Signing Cert rsa
> V       130110200751Z           41      unknown CN=clica CA rsa
> $
> $ openssl ocsp -sha256 -no_nonce -issuer $CADIR/Signer.pem -cert
> $leafcert -issuer $CADIR/CA.pem -cert $CADIR/Signer.pem -cert
> $CADIR/CA.pem -reqout $REQ -req_text
> OCSP Request Data:
>     Version: 1 (0x0)
>     Requestor List:
>         Certificate ID:
>           Hash Algorithm: sha256
>           Issuer Name Hash:
> 5AF082E51D62FE01FD706BAEBEB878DB64E68F76E74A36F36D914297DDEE24B8
>           Issuer Key Hash:
> 333DB14364B98E78A33DD8A4FAE8D8378EA9B0F5FBCA97B25685AA0D32116091
>           Serial Number: 65
>         Certificate ID:
>           Hash Algorithm: sha256
>           Issuer Name Hash:
> BFA7275A566EFD4BE2DF82DBD9D1290D470186F6FF2ACD8C16659F342AB56109
>           Issuer Key Hash:
> 208F9D28C7C0BC914144DFA8C0BE3D5B3BFCEBB622C8A8DC27E865FC06CA0E12
>           Serial Number: 42
>         Certificate ID:
>           Hash Algorithm: sha256
>           Issuer Name Hash:
> BFA7275A566EFD4BE2DF82DBD9D1290D470186F6FF2ACD8C16659F342AB56109
>           Issuer Key Hash:
> 208F9D28C7C0BC914144DFA8C0BE3D5B3BFCEBB622C8A8DC27E865FC06CA0E12
>           Serial Number: 41
> $
> $ openssl ocsp -index $ifile -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key
> -CA $CADIR/CA.pem -resp_no_certs -noverify         -ndays 3652 -reqin
> $REQ -respout $RESP -resp_text | egrep '(Serial|Status)'
>     OCSP Response Status: successful (0x0)
>       Serial Number: 65
>     Cert Status: unknown
>       Serial Number: 42
>     Cert Status: good
>       Serial Number: 41
>     Cert Status: good
> $
> 
> 

No answers on how to get ocsp responses for all elements of a
certificate chain?

-- 
Cheers,
  Jeremy