Hi,
I try to verify my Certs. After some research, I figured, what the error:
exactly meant. Turns out, I missed the hash based symbolic links in the CA-Path - so I created them accordingly.
In order to understand my hierarchy: I have a self-signed Root-CA.crt. Root-CA.crt is the daddy of Signing-CA.crt - it got signed by Root-CA.crt. Now each certificate I create for my network services is signed by Signing-CA.crt - such as e.g. FreeBSD.MyDomain.Local.crt.
Now verification seems to work:
All good so far. Now I need ocsp(1) to verify instead of regular verify(1). Unfortunately I don't get it working. This is how I try to verify
Debugging the two files ./filename-request.der and ./filename-response.der tells me more:
Why do I keep on getting this error
again?! This is where I'm currently stuck. Any hints on what plunder I've made in the ocsp comand would be greatly appreaciated.
Thanks a lot
I try to verify my Certs. After some research, I figured, what the error:
Code:
Verify error:unable to get local issuer certificateIn order to understand my hierarchy: I have a self-signed Root-CA.crt. Root-CA.crt is the daddy of Signing-CA.crt - it got signed by Root-CA.crt. Now each certificate I create for my network services is signed by Signing-CA.crt - such as e.g. FreeBSD.MyDomain.Local.crt.
- Root-CA.crt (Has no OCSP and CRL URL)
- Signing-CA.crt (Has no OCSP and CRL URL)
- ServerCert.crt (for Apache, Dovecot, and so on ... Has OCSP and CRL URL)
Code:
root@FreeBSD # ls -lach /etc/ssl/PKI/CA/
total 104
drwxr-xr-x 4 root wheel 512B 19 Apr 15:15 .
drwxr-xr-x 4 root wheel 512B 19 Apr 15:15 ..
lrwxr-xr-x 1 root wheel 16B 19 Apr 15:15 2a9fcf4c.0 -> ./Signing-CA.crt
lrwxr-xr-x 1 root wheel 13B 19 Apr 15:15 8d2fba8c.0 -> ./Root-CA.crt
-rw-r--r-- 1 root wheel 3.0K 19 Apr 15:15 CA-Chain.p7c
-rw-r--r-- 1 root wheel 4.0K 19 Apr 15:15 CA-Chain.pem
drwxr-xr-x 7 root wheel 512B 19 Apr 15:15 Root-CA
-rw-r--r-- 1 root wheel 7.1K 19 Apr 15:15 Root-CA.crt
-rw-r--r-- 1 root wheel 1.8K 19 Apr 15:15 Root-CA.csr
drwxr-xr-x 7 root wheel 512B 19 Apr 15:15 Signing-CA
-rw-r--r-- 1 root wheel 7.1K 19 Apr 15:15 Signing-CA.crt
-rw-r--r-- 1 root wheel 1.8K 19 Apr 15:15 Signing-CA.csr
Code:
root@FreeBSD # openssl verify -CApath /etc/ssl/PKI/CA/ /etc/ssl/PKI/CA/Signing-CA.crt
/etc/ssl/PKI/CA/Signing-CA.crt: OK
root@FreeBSD # openssl verify -CApath /etc/ssl/PKI/CA/ /etc/ssl/PKI/CA/Root-CA.crt
/etc/ssl/PKI/CA/Root-CA.crt: OK
openssl verify -CApath /etc/ssl/CA/ /etc/ssl/CA/Signing-CA/Certs/FreeBSD.MyDomain.Local.crt
/etc/ssl/PKI/CA/Signing-CA/Certs/WM-01.NetOcean.Local.crt: OK
Code:
spawn openssl ocsp -index ./../PKI/CA/Signing-CA/DB/Signing-CA.db \
-VAfile ./../PKI/CA/Signing-CA.crt \
-CA ./../PKI/CA/Signing-CA.crt \
-CApath ./../PKI/CA/ \
-rsigner ./../PKI/CA/Signing-CA.crt \
-rkey ./../PKI/CA/Signing-CA/Private/Signing-CA.key \
-resp_key_id \
-reqin ./filename-request.der \
-respout ./filename-response.der
expect -re ".*phrase.*:.*"
send -- "MySigningCAPassPhrase\r"
expect eof
Code:
openssl ocsp -reqin /tmp/OCSP/filename-request.der -text
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 4525615607ADBAF7C88C04352FD73B32B7939229
Produced At: Apr 25 22:06:31 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 70BE3B73C58233B7F4D1B1BEE03D4D597007CE30
Issuer Key Hash: 4525615607ADBAF7C88C04352FD73B32B7939229
Serial Number: 01
Cert Status: unknown
This Update: Apr 25 22:06:31 2015 GMT
Response Extensions:
OCSP Nonce:
04103501981BAAF67BA8E9A49CF05685B89B
Signature Algorithm: sha1WithRSAEncryption
1d:ce:4b:7f:91:66:09:3c:f8:e4:16:e8:7e:42:76:bd:1f:ee:
[...]
removed for demonstration
[...]
42:2c:8e:1d:c2:87:d6:2c
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple Root CA
Validity
Not Before: Apr 19 13:15:43 2015 GMT
Not After : Apr 14 13:15:43 2035 GMT
Subject: DC=org, DC=simple, O=Simple Inc, OU=Simple Signing CA, CN=Simple Signing CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c6:ae:05:17:cc:46:61:35:93:ca:9b:34:d4:38:
[...]
removed for demonstration
[...]
be:1e:63:66:90:95:92:d4:15:82:33:76:f9:0c:14:
2a:76:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
45:25:61:56:07:AD:BA:F7:C8:8C:04:35:2F:D7:3B:32:B7:93:92:29
X509v3 Authority Key Identifier:
keyid:0E:6E:61:08:F1:26:68:83:AC:4A:DD:AA:56:C5:B7:D6:E6:80:42:FA
Signature Algorithm: sha1WithRSAEncryption
5d:c1:ff:ef:1b:93:59:73:9d:ee:00:ba:3f:c3:f3:a3:23:20:
[...]
removed for demonstration
[...]
7e:e6:c5:ca:4e:31:93:a3
-----BEGIN CERTIFICATE-----
MIIFzzCCA7egAwIBAgIBAjANBgkqhkiG9w0BAQUFADB0MRMwEQYKCZImiZPyLGQB
[...]
removed for demonstration
[...]
MZOj
-----END CERTIFICATE-----
Response Verify Failure
34379245432:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/ocsp/ocsp_vfy.c:126:Verify error:unable to get local issuer certificate
Code:
error:unable to get local issuer certificateThanks a lot
Sorry I could not resist punching that pile of crap.
cheers on that 