[rs-dev] CRL working nicely - hitting an issue on OCSP

Dirk-Willem van Gulik dirkx at webweaving.org
Sat Feb 15 22:27:32 CET 2020 

On 15 Feb 2020, at 21:33, Dirk-Willem van Gulik via rs-dev <rs-dev at redwax.eu> wrote:

> Got a better range of tests now on CRLs(attached in their NIX version; have a variation for FreeBSD).
> 
> But OCSP has me stumped. Config as per below 'gen.sh' script (which sort of assumes debian/ubuntu apache locations).
> 
> Salient parts are:
> 
> 	CASimpleCertificate $dir/ca.pem
>        CACRLCertificateRevocationList "/root/web/ca-users-crl.pem"
> 
> which contains cert 3 and 4 recoved. This works fine with the CRL responder. For the OCSP responder I have:
> 
> 	<Location /ocsp>
> 		 SetHandler ocsp
>    		OcspSigningCertificate "$dir/ca-users.pem"
>    		OcspSigningKey "$dir/ca-users.pem"
> 	</Location>
> 
> and then a query for cert 4 (which is revoked gives me):
> 
> openssl ocsp -issuer web/ca-users.pem  -cert web/person-malory.pem -url https://site.local/ocsp -resp_text
> 
> 	OCSP Response Data:
> 	   OCSP Response Status: successful (0x0)
>    	Response Type: Basic OCSP Response
>    	Version: 1 (0x0)
>   	 Responder Id: C = NL, ST = Zuid-Holland, L = Leiden, O = Cleansing Enterprises B.V, CN = OCSP Department
>    	Produced At: Feb 15 20:03:15 2020 GMT
>    	Responses:
>    	Certificate ID:
>    	  Hash Algorithm: sha1
>     	 Issuer Name Hash: F0DF2C2026E06D0E4271EBE248C996E16DD1BBE1
>     	 Issuer Key Hash: 625D467B5F4398133316AFA3107B5048FC1E81EA
>    	  Serial Number: 04
>   	 Cert Status: unknown
>   	 This Update: Feb 15 20:03:15 2020 GMT
> ...
> 	Response verify OK
> 	/root/web/person-malory.pem: unknown
> 		This Update: Feb 15 20:03:15 2020 GMT
> 
> With
> 
> 	 openssl x509 -noout -ocspid -in web/ca-users.pem 
>        	Subject OCSP hash: F0DF2C2026E06D0E4271EBE248C996E16DD1BBE1
>        	Public key OCSP hash: 625D467B5F4398133316AFA3107B5048FC1E81EA
> 
>     	 openssl x509 -in web/person-malory.pem -noout -text  
> ...            X509v3 Subject Key Identifier: 
>                62:2D:1C:95:90:8A:2B:35:B0:6B:3B:A1:A6:1D:D3:37:3E:C7:3D:0B
> ...
> 
> confirming that ca-users.pem is in deed the right issuer; and that the cert is issued by this ca; and so on.
> 
> But still getting '/root/web/person-malory.pem: unknown'

Ok - it should have rung a bell - the issue was that CASimpleCertificate was pointing to the wrong CA - so our poor OCSP responder never recognized it properly.

Apologies for the noise !

Dw.

More information about the rs-dev mailing list