Hi,
I 've read all in "HOWTO-OCSP-RESPONDER"
I've done all steps described in the howto.
Then I tried to test with Simple OCSP client ocsp.sh and with openssl ocsp command.
I recieved error "Ineternal Server Error" 500
-----------
OpenSSL> ocsp -issuer OCSPAdminCA1.pem -CAfile AdminCA1.pem -cert Test24.pem -re
q_text -url http://ocsp.mobisafe.bg:8080/ejbca/publicweb/status/ocsp
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 4145F8A5CCF07E01EBF1D22D40A1E29392B1E02E
Issuer Key Hash: 58E51A57514F87205AB8AD2232B8EF41F0A8EBC5
Serial Number: 643C812AEA04854E
Request Extensions:
OCSP Nonce:
0410E8A82380A34DA4F53A0DEE2A6A5867A0
Error querying OCSP responsder
832:error:27070072:OCSP routines:OCSP_sendreq_bio:server response error:.\crypto
\ocsp\ocsp_ht.c:147:Code=500,Reason=Internal Server Error
error in ocsp
-----------------------------------------------------
Please tell me if I am wrong im something!
Kind Regards,
Plamen Gribachev
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Internal server error is usually because some misconfiguration of CA-certificates in the responder. Look in server.log (JBOSS_HOME/server/default/log/server.log) on the OCSP responder. It should probably be clear there what the problem is.
server.log always tells the truth :)
Cheers,
Tomas
-----
PrimeKey Solutions offers a commercial EJBCA-subscription, including support and new extensions for EJBCA. Please see www.primekey.se or contact info@primekey.se for more information.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Tomas,
I've read server.log, I am always read JBoss's server.log. It's too big usually :-)
Here is parts of my server.log:
-----------------------------------------------------------------------
2008-03-01 17:48:55,112 WARN [org.ejbca.ui.web.protocol.OCSPServletStandAlone] Signing certificate with serial number 1294698461892045370 from issuer C=BG, O=SEP, CN=PlaGri SubCA has no chain to a root CA.
2008-03-01 17:48:55,112 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/ejbca/publicweb/status].[OCSP]] Servlet.service() for servlet OCSP threw exception
javax.servlet.ServletException: No valid keys in directory /usr/local/jboss-4.0.5.GA/bin/keys
--------------------------------------------------------------------------
I didn't understand "No valid keys in directory"?
I have created jks files for OCSP certificates of my CAs and I copied them in /usr/local/jboss-4.0.5.GA/bin/keys directory. I think my keystore jks files are ok.
I tested it with "keytool -list -alias AdminCA1 -keystore adminca1.jks -storepass foo123"
May be I have to create p12 files?
Please give me idea how to resolve this problem!
Kind Regards,
Plamen Gribachev
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The certificate chain need to be in the database. This means that you have to publish both the SubCA and the RootCA certificate to the OCSP responder.
I think this is mentioned somehwere in the howto? Probably something that should be stressed more clearly though, since it is a common misstake.
Cheers,
Tomas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Tomas,
Thank you very much for your co-operation!
I've succeeded in publishing of AdminCA1 CA certificate(I was missed this step :-)) and ocsp request for certificate issued by AdminCA1. I've tested with "oscp.sh" and "openssl ocsp" successfully.
What about chain off-line RootCA and on-line SubCA? I've published two CA certificates, but recieve error when I use "oscp.sh" ot "openssl ocsp":
----------------------------------------------------------------
[root@localhost6 ocspclient]# ./ocsp.sh http://127.0.0.1:8080/ejbca/publicweb/status/ocsp Test23.pem PlaGriSubCA.pem
0 [main] ERROR org.ejbca.util.CertTools - IMPLICITLYCA_Q not set!
1 [main] ERROR org.ejbca.util.CertTools - IMPLICITLYCA_A not set!
2 [main] ERROR org.ejbca.util.CertTools - IMPLICITLYCA_B not set!
2 [main] ERROR org.ejbca.util.CertTools - IMPLICITLYCA_G not set!
2 [main] ERROR org.ejbca.util.CertTools - IMPLICITLYCA_N not set!
Public key presented not for certificate signature
java.security.InvalidKeyException: Public key presented not for certificate signature
at org.bouncycastle.jce.provider.X509CertificateObject.checkSignature(Unknown Source)
at org.bouncycastle.jce.provider.X509CertificateObject.verify(Unknown Source)
at org.ejbca.core.protocol.ocsp.OCSPUnidClient.sendOCSPPost(OCSPUnidClient.java:252)
at org.ejbca.core.protocol.ocsp.OCSPUnidClient.lookup(OCSPUnidClient.java:166)
at org.ejbca.ui.cli.Ocsp.main(Ocsp.java:73)
--------------------------------------------------------------------
Here is and server.log:
---------------------------------------------------------------------
2008-03-07 09:53:22,645 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] >doPost()
2008-03-07 09:53:22,646 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] >service()
2008-03-07 09:53:22,648 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] >findCertificatesByType()
2008-03-07 09:53:22,648 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] findCertificatesByType() : executing SQL statement
SELECT DISTINCT fingerprint FROM CertificateData WHERE status = 20 AND type IN (2, 8)
2008-03-07 09:53:22,661 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] >findCertificateByFingerprint()
2008-03-07 09:53:22,662 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCFindByPrimaryKeyQuery.CertificateData#findByPrimaryKey] Executing SQL: SELECT t0_CertificateData.fingerprint FROM CertificateData t0_CertificateData WHERE t0_CertificateData.fingerprint=?
2008-03-07 09:53:22,667 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,668 DEBUG [org.ejbca.util.CertTools] >getCertfromByteArray:
2008-03-07 09:53:22,669 DEBUG [org.ejbca.util.CertTools] <getCertfromByteArray:
2008-03-07 09:53:22,670 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] <findCertificateByFingerprint()
2008-03-07 09:53:22,670 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] >findCertificateByFingerprint()
2008-03-07 09:53:22,670 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCFindByPrimaryKeyQuery.CertificateData#findByPrimaryKey] Executing SQL: SELECT t0_CertificateData.fingerprint FROM CertificateData t0_CertificateData WHERE t0_CertificateData.fingerprint=?
2008-03-07 09:53:22,671 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,673 DEBUG [org.ejbca.util.CertTools] >getCertfromByteArray:
2008-03-07 09:53:22,673 DEBUG [org.ejbca.util.CertTools] <getCertfromByteArray:
2008-03-07 09:53:22,674 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] <findCertificateByFingerprint()
2008-03-07 09:53:22,674 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] <findCertificatesByType()
2008-03-07 09:53:22,680 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] 2 ca certificates
2008-03-07 09:53:22,686 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] >isRevoked(), dn:C=BG, O=SEP, CN=Test SubCA, serno=449921bf64fcaf84
2008-03-07 09:53:22,686 DEBUG [org.ejbca.util.CertTools] >reverseDN: dn: C=BG, O=SEP, CN=Test SubCA
2008-03-07 09:53:22,686 DEBUG [org.ejbca.util.CertTools] <reverseDN: resulting dn: CN=Test SubCA,O=SEP,C=BG
2008-03-07 09:53:22,686 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCEJBQLQuery.CertificateData#findByIssuerDNSerialNumber] Executing SQL: SELECT t0_a.fingerprint FROM CertificateData t0_a WHERE (t0_a.issuerDN = ? AND t0_a.serialNumber = ?)
2008-03-07 09:53:22,689 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,691 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,693 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,695 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,697 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,700 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,702 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] <isRevoked() returned no
2008-03-07 09:53:22,704 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] current issuer 'C=BG, O=SEP, CN=Test SubCA'. target subject: 'C=SE, O=EJBCA Sample, CN=AdminCA1'.
2008-03-07 09:53:22,704 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] current issuer 'C=BG, O=SEP, CN=Test SubCA'. target subject: 'C=BG, O=SEP, CN=SEP Root CA'.
2008-03-07 09:53:22,705 WARN [org.ejbca.ui.web.protocol.OCSPServletStandAlone] Signing certificate with serial number 4943019171932581764 from issuer C=BG, O=SEP, CN=Test SubCA has no chain to a root CA.
2008-03-07 09:53:22,707 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] >isRevoked(), dn:C=SE, O=EJBCA Sample, CN=AdminCA1, serno=2b98af18a5d91189
2008-03-07 09:53:22,707 DEBUG [org.ejbca.util.CertTools] >reverseDN: dn: C=SE, O=EJBCA Sample, CN=AdminCA1
2008-03-07 09:53:22,707 DEBUG [org.ejbca.util.CertTools] <reverseDN: resulting dn: CN=AdminCA1,O=EJBCA Sample,C=SE
2008-03-07 09:53:22,707 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCEJBQLQuery.CertificateData#findByIssuerDNSerialNumber] Executing SQL: SELECT t0_a.fingerprint FROM CertificateData t0_a WHERE (t0_a.issuerDN = ? AND t0_a.serialNumber = ?)
2008-03-07 09:53:22,709 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,711 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,712 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,714 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,716 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,717 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,719 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] <isRevoked() returned no
2008-03-07 09:53:22,720 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] current issuer 'C=SE, O=EJBCA Sample, CN=AdminCA1'. target subject: 'C=SE, O=EJBCA Sample, CN=AdminCA1'.
2008-03-07 09:53:22,721 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] CN=AdminCA1,O=EJBCA Sample,C=SE has caid: -1688117755
2008-03-07 09:53:22,721 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] CA with ID -1688117755 now has a OCSP signing key.
2008-03-07 09:53:22,723 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] >isRevoked(), dn:C=BG, O=SEP, CN=PlaGri SubCA, serno=11f7b1643851ea3a
2008-03-07 09:53:22,724 DEBUG [org.ejbca.util.CertTools] >reverseDN: dn: C=BG, O=SEP, CN=PlaGri SubCA
2008-03-07 09:53:22,724 DEBUG [org.ejbca.util.CertTools] <reverseDN: resulting dn: CN=PlaGri SubCA,O=SEP,C=BG
2008-03-07 09:53:22,724 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCEJBQLQuery.CertificateData#findByIssuerDNSerialNumber] Executing SQL: SELECT t0_a.fingerprint FROM CertificateData t0_a WHERE (t0_a.issuerDN = ? AND t0_a.serialNumber = ?)
2008-03-07 09:53:22,726 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,727 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,729 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,731 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,733 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,735 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,737 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] <isRevoked() returned no
2008-03-07 09:53:22,737 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] current issuer 'C=BG, O=SEP, CN=PlaGri SubCA'. target subject: 'C=SE, O=EJBCA Sample, CN=AdminCA1'.
2008-03-07 09:53:22,738 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] current issuer 'C=BG, O=SEP, CN=PlaGri SubCA'. target subject: 'C=BG, O=SEP, CN=SEP Root CA'.
2008-03-07 09:53:22,738 WARN [org.ejbca.ui.web.protocol.OCSPServletStandAlone] Signing certificate with serial number 1294698461892045370 from issuer C=BG, O=SEP, CN=PlaGri SubCA has no chain to a root CA.
2008-03-07 09:53:22,739 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Found the following CA certificates :
CN=AdminCA1,O=EJBCA Sample,C=SE,552987c3fd9cdf64
CN=SEP Root CA,O=SEP,C=BG,2bcee9c27c2181f1
2008-03-07 09:53:22,739 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Incoming OCSP request is signed : false
2008-03-07 09:53:22,739 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] The OCSP request contains 1 simpleRequests.
2008-03-07 09:53:22,739 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] Received OCSP request for certificate with serNo: 3431a38ba55521cb, and issuerNameHash: 9670591f6f1809091f9f9d837e5d5a8672afc3d7.
2008-03-07 09:53:22,740 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Comparing the following certificate hashes:
Hash algorithm : '1.3.14.3.2.26'
CA certificate
CA SubjectDN: 'CN=AdminCA1,O=EJBCA Sample,C=SE'
SerialNumber: '552987c3fd9cdf64'
CA certificate hashes
Name hash : '4145f8a5ccf07e01ebf1d22d40a1e29392b1e02e'
Key hash : 'a7027e0203301199a20b9466acb19804a4aa8dad'
OCSP certificate hashes
Name hash : '9670591f6f1809091f9f9d837e5d5a8672afc3d7'
Key hash : '150cc49ebdb0e8a50e1e6daf88d7c7976c70f981'
2008-03-07 09:53:22,741 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Comparing the following certificate hashes:
Hash algorithm : '1.3.14.3.2.26'
CA certificate
CA SubjectDN: 'CN=SEP Root CA,O=SEP,C=BG'
SerialNumber: '2bcee9c27c2181f1'
CA certificate hashes
Name hash : '5fbd0d6e25fe4960b15e17e6af8753667421d28e'
Key hash : '311a50a15bdf7d4863959ac6a323d0354cc77b11'
OCSP certificate hashes
Name hash : '9670591f6f1809091f9f9d837e5d5a8672afc3d7'
Key hash : '150cc49ebdb0e8a50e1e6daf88d7c7976c70f981'
2008-03-07 09:53:22,741 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Did not find matching CA-cert for:
Name hash : '9670591f6f1809091f9f9d837e5d5a8672afc3d7'
Key hash : '150cc49ebdb0e8a50e1e6daf88d7c7976c70f981'
2008-03-07 09:53:22,741 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Comparing the following certificates:
CA certificate DN: CN=AdminCA1,O=EJBCA Sample,C=SE
Subject DN: CN=AdminCA1,O=EJBCA Sample,C=SE
2008-03-07 09:53:22,741 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] Unable to find CA certificate by issuer name hash: 9670591f6f1809091f9f9d837e5d5a8672afc3d7, using the default reponder to send 'UnknownStatus'.
2008-03-07 09:53:22,742 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] CN=AdminCA1,O=EJBCA Sample,C=SE has caid: -1688117755
2008-03-07 09:53:22,742 DEBUG [org.ejbca.core.protocol.ocsp.OCSPUtil] Using signature algorithm for response: SHA1WithRSA
2008-03-07 09:53:22,742 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] Signing algorithm: SHA1WithRSA
2008-03-07 09:53:22,796 DEBUG [org.ejbca.core.protocol.ocsp.OCSPUtil] Signing OCSP response with OCSP signer cert: C=BG, L=Sofia, O=SEP, OU=IT Security, CN=OCSP AdminCA1
2008-03-07 09:53:22,798 DEBUG [org.ejbca.core.protocol.ocsp.OCSPUtil] The OCSP response is verifying.
2008-03-07 09:53:22,800 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Cert chain for OCSP signing is of size 2
2008-03-07 09:53:22,855 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] <service()
2008-03-07 09:53:22,855 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] <doPost()
----------------------------------------------------------------------------
I have tree jks files for tree OCSP certificates for tree CA(one for AdminCA and two for SubCA from off-line RootCA).
I've published off-line RootCA certificate in OSCP database.
Please help me!
Kind Regards,
Plamen Gribachev
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This message:
2008-03-07 09:53:22,741 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] Unable to find CA certificate by issuer name hash: 9670591f6f1809091f9f9d837e5d5a8672afc3d7, using the default reponder to send 'UnknownStatus'.
You only have two CA certificates according to the log:
2008-03-07 09:53:22,739 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Found the following CA certificates :
CN=AdminCA1,O=EJBCA Sample,C=SE,552987c3fd9cdf64
CN=SEP Root CA,O=SEP,C=BG,2bcee9c27c2181f1
and you have this warning:
2008-03-07 09:53:22,738 WARN [org.ejbca.ui.web.protocol.OCSPServletStandAlone] Signing certificate with serial number 1294698461892045370 from issuer C=BG, O=SEP, CN=PlaGri SubCA has no chain to a root CA.
My guess is that the SubCA certificates are not in the database?
Cheers,
Tomas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Tomas,
You are right :-) It's stupid from my site, because it's for twice. I was forgoten to publsih SubCA, I confuse by OCSP certificate, which I published at first.
Sorry!
Now I can make ocsp requests with ocsp.sh or openssl ocsp succesfully.
P.S
Yesterday I sent you email regarding commercial support of EJBCA, did you recieve it?
Kind Regards,
Plamen Gribachev
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes I received your email did you not receive my answer?
If you did not, can you mail me again and give me you "real" email address, I replied to the sourceforge address.
Regards,
Tomas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I 've read all in "HOWTO-OCSP-RESPONDER"
I've done all steps described in the howto.
Then I tried to test with Simple OCSP client ocsp.sh and with openssl ocsp command.
I recieved error "Ineternal Server Error" 500
-----------
OpenSSL> ocsp -issuer OCSPAdminCA1.pem -CAfile AdminCA1.pem -cert Test24.pem -re
q_text -url http://ocsp.mobisafe.bg:8080/ejbca/publicweb/status/ocsp
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 4145F8A5CCF07E01EBF1D22D40A1E29392B1E02E
Issuer Key Hash: 58E51A57514F87205AB8AD2232B8EF41F0A8EBC5
Serial Number: 643C812AEA04854E
Request Extensions:
OCSP Nonce:
0410E8A82380A34DA4F53A0DEE2A6A5867A0
Error querying OCSP responsder
832:error:27070072:OCSP routines:OCSP_sendreq_bio:server response error:.\crypto
\ocsp\ocsp_ht.c:147:Code=500,Reason=Internal Server Error
error in ocsp
-----------------------------------------------------
Please tell me if I am wrong im something!
Kind Regards,
Plamen Gribachev
Internal server error is usually because some misconfiguration of CA-certificates in the responder. Look in server.log (JBOSS_HOME/server/default/log/server.log) on the OCSP responder. It should probably be clear there what the problem is.
server.log always tells the truth :)
Cheers,
Tomas
-----
PrimeKey Solutions offers a commercial EJBCA-subscription, including support and new extensions for EJBCA. Please see www.primekey.se or contact info@primekey.se for more information.
Hi Tomas,
I've read server.log, I am always read JBoss's server.log. It's too big usually :-)
Here is parts of my server.log:
-----------------------------------------------------------------------
2008-03-01 17:48:55,112 WARN [org.ejbca.ui.web.protocol.OCSPServletStandAlone] Signing certificate with serial number 1294698461892045370 from issuer C=BG, O=SEP, CN=PlaGri SubCA has no chain to a root CA.
2008-03-01 17:48:55,112 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/ejbca/publicweb/status].[OCSP]] Servlet.service() for servlet OCSP threw exception
javax.servlet.ServletException: No valid keys in directory /usr/local/jboss-4.0.5.GA/bin/keys
--------------------------------------------------------------------------
I didn't understand "No valid keys in directory"?
I have created jks files for OCSP certificates of my CAs and I copied them in /usr/local/jboss-4.0.5.GA/bin/keys directory. I think my keystore jks files are ok.
I tested it with "keytool -list -alias AdminCA1 -keystore adminca1.jks -storepass foo123"
May be I have to create p12 files?
Please give me idea how to resolve this problem!
Kind Regards,
Plamen Gribachev
The certificate chain need to be in the database. This means that you have to publish both the SubCA and the RootCA certificate to the OCSP responder.
I think this is mentioned somehwere in the howto? Probably something that should be stressed more clearly though, since it is a common misstake.
Cheers,
Tomas
Hi Tomas,
Thank you very much for your co-operation!
I've succeeded in publishing of AdminCA1 CA certificate(I was missed this step :-)) and ocsp request for certificate issued by AdminCA1. I've tested with "oscp.sh" and "openssl ocsp" successfully.
What about chain off-line RootCA and on-line SubCA? I've published two CA certificates, but recieve error when I use "oscp.sh" ot "openssl ocsp":
----------------------------------------------------------------
[root@localhost6 ocspclient]# ./ocsp.sh http://127.0.0.1:8080/ejbca/publicweb/status/ocsp Test23.pem PlaGriSubCA.pem
0 [main] ERROR org.ejbca.util.CertTools - IMPLICITLYCA_Q not set!
1 [main] ERROR org.ejbca.util.CertTools - IMPLICITLYCA_A not set!
2 [main] ERROR org.ejbca.util.CertTools - IMPLICITLYCA_B not set!
2 [main] ERROR org.ejbca.util.CertTools - IMPLICITLYCA_G not set!
2 [main] ERROR org.ejbca.util.CertTools - IMPLICITLYCA_N not set!
Public key presented not for certificate signature
java.security.InvalidKeyException: Public key presented not for certificate signature
at org.bouncycastle.jce.provider.X509CertificateObject.checkSignature(Unknown Source)
at org.bouncycastle.jce.provider.X509CertificateObject.verify(Unknown Source)
at org.ejbca.core.protocol.ocsp.OCSPUnidClient.sendOCSPPost(OCSPUnidClient.java:252)
at org.ejbca.core.protocol.ocsp.OCSPUnidClient.lookup(OCSPUnidClient.java:166)
at org.ejbca.ui.cli.Ocsp.main(Ocsp.java:73)
--------------------------------------------------------------------
Here is and server.log:
---------------------------------------------------------------------
2008-03-07 09:53:22,645 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] >doPost()
2008-03-07 09:53:22,646 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] >service()
2008-03-07 09:53:22,648 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] >findCertificatesByType()
2008-03-07 09:53:22,648 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] findCertificatesByType() : executing SQL statement
SELECT DISTINCT fingerprint FROM CertificateData WHERE status = 20 AND type IN (2, 8)
2008-03-07 09:53:22,661 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] >findCertificateByFingerprint()
2008-03-07 09:53:22,662 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCFindByPrimaryKeyQuery.CertificateData#findByPrimaryKey] Executing SQL: SELECT t0_CertificateData.fingerprint FROM CertificateData t0_CertificateData WHERE t0_CertificateData.fingerprint=?
2008-03-07 09:53:22,667 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,668 DEBUG [org.ejbca.util.CertTools] >getCertfromByteArray:
2008-03-07 09:53:22,669 DEBUG [org.ejbca.util.CertTools] <getCertfromByteArray:
2008-03-07 09:53:22,670 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] <findCertificateByFingerprint()
2008-03-07 09:53:22,670 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] >findCertificateByFingerprint()
2008-03-07 09:53:22,670 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCFindByPrimaryKeyQuery.CertificateData#findByPrimaryKey] Executing SQL: SELECT t0_CertificateData.fingerprint FROM CertificateData t0_CertificateData WHERE t0_CertificateData.fingerprint=?
2008-03-07 09:53:22,671 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,673 DEBUG [org.ejbca.util.CertTools] >getCertfromByteArray:
2008-03-07 09:53:22,673 DEBUG [org.ejbca.util.CertTools] <getCertfromByteArray:
2008-03-07 09:53:22,674 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] <findCertificateByFingerprint()
2008-03-07 09:53:22,674 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] <findCertificatesByType()
2008-03-07 09:53:22,680 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] 2 ca certificates
2008-03-07 09:53:22,686 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] >isRevoked(), dn:C=BG, O=SEP, CN=Test SubCA, serno=449921bf64fcaf84
2008-03-07 09:53:22,686 DEBUG [org.ejbca.util.CertTools] >reverseDN: dn: C=BG, O=SEP, CN=Test SubCA
2008-03-07 09:53:22,686 DEBUG [org.ejbca.util.CertTools] <reverseDN: resulting dn: CN=Test SubCA,O=SEP,C=BG
2008-03-07 09:53:22,686 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCEJBQLQuery.CertificateData#findByIssuerDNSerialNumber] Executing SQL: SELECT t0_a.fingerprint FROM CertificateData t0_a WHERE (t0_a.issuerDN = ? AND t0_a.serialNumber = ?)
2008-03-07 09:53:22,689 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,691 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,693 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,695 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,697 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,700 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,702 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] <isRevoked() returned no
2008-03-07 09:53:22,704 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] current issuer 'C=BG, O=SEP, CN=Test SubCA'. target subject: 'C=SE, O=EJBCA Sample, CN=AdminCA1'.
2008-03-07 09:53:22,704 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] current issuer 'C=BG, O=SEP, CN=Test SubCA'. target subject: 'C=BG, O=SEP, CN=SEP Root CA'.
2008-03-07 09:53:22,705 WARN [org.ejbca.ui.web.protocol.OCSPServletStandAlone] Signing certificate with serial number 4943019171932581764 from issuer C=BG, O=SEP, CN=Test SubCA has no chain to a root CA.
2008-03-07 09:53:22,707 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] >isRevoked(), dn:C=SE, O=EJBCA Sample, CN=AdminCA1, serno=2b98af18a5d91189
2008-03-07 09:53:22,707 DEBUG [org.ejbca.util.CertTools] >reverseDN: dn: C=SE, O=EJBCA Sample, CN=AdminCA1
2008-03-07 09:53:22,707 DEBUG [org.ejbca.util.CertTools] <reverseDN: resulting dn: CN=AdminCA1,O=EJBCA Sample,C=SE
2008-03-07 09:53:22,707 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCEJBQLQuery.CertificateData#findByIssuerDNSerialNumber] Executing SQL: SELECT t0_a.fingerprint FROM CertificateData t0_a WHERE (t0_a.issuerDN = ? AND t0_a.serialNumber = ?)
2008-03-07 09:53:22,709 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,711 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,712 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,714 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,716 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,717 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,719 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] <isRevoked() returned no
2008-03-07 09:53:22,720 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] current issuer 'C=SE, O=EJBCA Sample, CN=AdminCA1'. target subject: 'C=SE, O=EJBCA Sample, CN=AdminCA1'.
2008-03-07 09:53:22,721 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] CN=AdminCA1,O=EJBCA Sample,C=SE has caid: -1688117755
2008-03-07 09:53:22,721 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] CA with ID -1688117755 now has a OCSP signing key.
2008-03-07 09:53:22,723 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] >isRevoked(), dn:C=BG, O=SEP, CN=PlaGri SubCA, serno=11f7b1643851ea3a
2008-03-07 09:53:22,724 DEBUG [org.ejbca.util.CertTools] >reverseDN: dn: C=BG, O=SEP, CN=PlaGri SubCA
2008-03-07 09:53:22,724 DEBUG [org.ejbca.util.CertTools] <reverseDN: resulting dn: CN=PlaGri SubCA,O=SEP,C=BG
2008-03-07 09:53:22,724 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCEJBQLQuery.CertificateData#findByIssuerDNSerialNumber] Executing SQL: SELECT t0_a.fingerprint FROM CertificateData t0_a WHERE (t0_a.issuerDN = ? AND t0_a.serialNumber = ?)
2008-03-07 09:53:22,726 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,727 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,729 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,731 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,733 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,735 DEBUG [org.jboss.ejb.plugins.cmp.jdbc.JDBCLoadEntityCommand.CertificateData] Executing SQL: SELECT issuerDN, subjectDN, cAFingerprint, status, type, serialNumber, expireDate, revocationDate, revocationReason, base64Cert, username FROM CertificateData WHERE (fingerprint=?)
2008-03-07 09:53:22,737 DEBUG [org.ejbca.core.ejb.ca.store.CertificateStoreOnlyDataSessionSession] <isRevoked() returned no
2008-03-07 09:53:22,737 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] current issuer 'C=BG, O=SEP, CN=PlaGri SubCA'. target subject: 'C=SE, O=EJBCA Sample, CN=AdminCA1'.
2008-03-07 09:53:22,738 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] current issuer 'C=BG, O=SEP, CN=PlaGri SubCA'. target subject: 'C=BG, O=SEP, CN=SEP Root CA'.
2008-03-07 09:53:22,738 WARN [org.ejbca.ui.web.protocol.OCSPServletStandAlone] Signing certificate with serial number 1294698461892045370 from issuer C=BG, O=SEP, CN=PlaGri SubCA has no chain to a root CA.
2008-03-07 09:53:22,739 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Found the following CA certificates :
CN=AdminCA1,O=EJBCA Sample,C=SE,552987c3fd9cdf64
CN=SEP Root CA,O=SEP,C=BG,2bcee9c27c2181f1
2008-03-07 09:53:22,739 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Incoming OCSP request is signed : false
2008-03-07 09:53:22,739 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] The OCSP request contains 1 simpleRequests.
2008-03-07 09:53:22,739 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] Received OCSP request for certificate with serNo: 3431a38ba55521cb, and issuerNameHash: 9670591f6f1809091f9f9d837e5d5a8672afc3d7.
2008-03-07 09:53:22,740 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Comparing the following certificate hashes:
Hash algorithm : '1.3.14.3.2.26'
CA certificate
CA SubjectDN: 'CN=AdminCA1,O=EJBCA Sample,C=SE'
SerialNumber: '552987c3fd9cdf64'
CA certificate hashes
Name hash : '4145f8a5ccf07e01ebf1d22d40a1e29392b1e02e'
Key hash : 'a7027e0203301199a20b9466acb19804a4aa8dad'
OCSP certificate hashes
Name hash : '9670591f6f1809091f9f9d837e5d5a8672afc3d7'
Key hash : '150cc49ebdb0e8a50e1e6daf88d7c7976c70f981'
2008-03-07 09:53:22,741 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Comparing the following certificate hashes:
Hash algorithm : '1.3.14.3.2.26'
CA certificate
CA SubjectDN: 'CN=SEP Root CA,O=SEP,C=BG'
SerialNumber: '2bcee9c27c2181f1'
CA certificate hashes
Name hash : '5fbd0d6e25fe4960b15e17e6af8753667421d28e'
Key hash : '311a50a15bdf7d4863959ac6a323d0354cc77b11'
OCSP certificate hashes
Name hash : '9670591f6f1809091f9f9d837e5d5a8672afc3d7'
Key hash : '150cc49ebdb0e8a50e1e6daf88d7c7976c70f981'
2008-03-07 09:53:22,741 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Did not find matching CA-cert for:
Name hash : '9670591f6f1809091f9f9d837e5d5a8672afc3d7'
Key hash : '150cc49ebdb0e8a50e1e6daf88d7c7976c70f981'
2008-03-07 09:53:22,741 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Comparing the following certificates:
CA certificate DN: CN=AdminCA1,O=EJBCA Sample,C=SE
Subject DN: CN=AdminCA1,O=EJBCA Sample,C=SE
2008-03-07 09:53:22,741 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] Unable to find CA certificate by issuer name hash: 9670591f6f1809091f9f9d837e5d5a8672afc3d7, using the default reponder to send 'UnknownStatus'.
2008-03-07 09:53:22,742 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] CN=AdminCA1,O=EJBCA Sample,C=SE has caid: -1688117755
2008-03-07 09:53:22,742 DEBUG [org.ejbca.core.protocol.ocsp.OCSPUtil] Using signature algorithm for response: SHA1WithRSA
2008-03-07 09:53:22,742 DEBUG [org.ejbca.ui.web.protocol.OCSPServletStandAlone] Signing algorithm: SHA1WithRSA
2008-03-07 09:53:22,796 DEBUG [org.ejbca.core.protocol.ocsp.OCSPUtil] Signing OCSP response with OCSP signer cert: C=BG, L=Sofia, O=SEP, OU=IT Security, CN=OCSP AdminCA1
2008-03-07 09:53:22,798 DEBUG [org.ejbca.core.protocol.ocsp.OCSPUtil] The OCSP response is verifying.
2008-03-07 09:53:22,800 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Cert chain for OCSP signing is of size 2
2008-03-07 09:53:22,855 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] <service()
2008-03-07 09:53:22,855 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] <doPost()
----------------------------------------------------------------------------
I have tree jks files for tree OCSP certificates for tree CA(one for AdminCA and two for SubCA from off-line RootCA).
I've published off-line RootCA certificate in OSCP database.
Please help me!
Kind Regards,
Plamen Gribachev
This message:
2008-03-07 09:53:22,741 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] Unable to find CA certificate by issuer name hash: 9670591f6f1809091f9f9d837e5d5a8672afc3d7, using the default reponder to send 'UnknownStatus'.
You only have two CA certificates according to the log:
2008-03-07 09:53:22,739 DEBUG [org.ejbca.ui.web.protocol.OCSPServletBase] Found the following CA certificates :
CN=AdminCA1,O=EJBCA Sample,C=SE,552987c3fd9cdf64
CN=SEP Root CA,O=SEP,C=BG,2bcee9c27c2181f1
and you have this warning:
2008-03-07 09:53:22,738 WARN [org.ejbca.ui.web.protocol.OCSPServletStandAlone] Signing certificate with serial number 1294698461892045370 from issuer C=BG, O=SEP, CN=PlaGri SubCA has no chain to a root CA.
My guess is that the SubCA certificates are not in the database?
Cheers,
Tomas
Hi Tomas,
You are right :-) It's stupid from my site, because it's for twice. I was forgoten to publsih SubCA, I confuse by OCSP certificate, which I published at first.
Sorry!
Now I can make ocsp requests with ocsp.sh or openssl ocsp succesfully.
P.S
Yesterday I sent you email regarding commercial support of EJBCA, did you recieve it?
Kind Regards,
Plamen Gribachev
Hi Plamen,
very nice that it's working now.
Yes I received your email did you not receive my answer?
If you did not, can you mail me again and give me you "real" email address, I replied to the sourceforge address.
Regards,
Tomas