Menu
▾
▴
Re: [Ejbca-develop] EJBCA ocsp verification error
|
From: Randy Yu <yu...@ec...> - 2014-09-19 14:53:45
|
Thanks Tomas. If we are using a Luna HSM hard token, I believe we have to create a PKCS11 key as the PKCS12 is only for soft tokens? Also, when attempting to create a PKCS11 key for the specific CA, we issue the following command but are unsure how to retrieve the actual key to store in the ocsp keys directory. ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lunasa/lib/libCryptoki2.so 2048 test 1 -----Original Message----- From: Tomas Gustavsson [mailto:to...@pr...] Sent: September-11-14 10:35 AM To: ejb...@li... Subject: Re: [Ejbca-develop] EJBCA ocsp verification error If you want to set up an OCSP responder, separate from the CA you need an OCSP Signer private key and certificate. Cheers, Tomas On 2014-09-11 16:01, Randy Yu wrote: > Some more information to add to this. The CA we import to the EJBCA 6 instance is a public key from a hard token signed CA. With the public key imported to EJBCA 6, would the issuer name hash be carried over or is this a possible reason why it is unable to be found? > > Also with this EJBCA 6 ocsp responder instance we are trying to setup, we are trying to use this same imported CA to do the CRL download service, we are unable to complete the "polulating the ocsp responder database" steps since the CDP editing option is unavailable: > > Admin GUI -> Certification Authorities -> "Edit CA" for the imported > CA -> Configure an external CDP where the CA makes its CRLs available > (must begin with "http://") > > Thanks. > -----Original Message----- > From: Randy Yu [mailto:yu...@ec...] > Sent: September-09-14 11:04 AM > To: ejb...@li... > Subject: Re: [Ejbca-develop] EJBCA ocsp verification error > > Thanks Branko. > > The error differs when using OpenSSL ocsp command: > > 22:47:24,929 INFO [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] (http--0.0.0.0-8080-3) Received OCSP request for certificate with serNo: 4391e01e01561076, and issuerNameHash: 1381ab5168453c9d28d2288f76020542ac6f556c. Client ip a.a.a.a. > 22:47:24,945 INFO [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] (http--0.0.0.0-8080-3) Unable to find CA certificate by issuer name hash: 1381ab5168453c9d28d2288f76020542ac6f556c, using the default responder to send 'UnknownStatus'. > > This occurs even if I provide the subca.pem with the -issuer switch. > > -----Original Message----- > From: Branko Majic [mailto:br...@ma...] > Sent: September-08-14 1:26 PM > To: ejb...@li... > Subject: Re: [Ejbca-develop] EJBCA ocsp verification error > > On September 8, 2014 6:43:43 PM CEST, Randy Yu <yu...@ec...> wrote: >> Here is the ocsp request from OpenSSL in base64 format. I'm not sure >> how to achieve the same thing with CertUtil as I don't see an option >> like OpenSSL has -reqout switch. >> >> Thanks. >> > > Hm... Do you get the same error when using the OpenSSL ocsp tool? That is a tool that I commonly use for testing our installations, and it usually works flawlessly (both EJBCA and the tool). > -- > Branko Majic > Jabber: br...@ma... > Please use only Free formats when sending attachments to me. > > Бранко Мајић > Џабер: br...@ma... > Молим вас да додатке шаљете искључиво у слободним форматима. > > ---------------------------------------------------------------------- > -------- > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce Perforce version control. Predictably reliable. > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg. > clktrk _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > ---------------------------------------------------------------------- > -------- > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce. > Perforce version control. Predictably reliable. > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg. > clktrk _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > ---------------------------------------------------------------------- > -------- > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce Perforce version control. > Predictably reliable. > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg. > clktrk _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
