Menu
▾
▴
Re: [Ejbca-develop] EJBCA ocsp verification error
|
From: Randy Yu <yu...@ec...> - 2014-09-22 02:42:42
|
Thanks Tomas. Sorry I was also testing EJBCA 4.x as we have been troubleshooting with both version 4 and 6 as a responder to version 3 instances. My question previously applied to using a 4.0.16 instance. Also are there any caveats that are known from using version 4 and 6 as responders to version 3 production CA instances? ________________________________________ From: Tomas Gustavsson [to...@pr...] Sent: Friday, September 19, 2014 12:31 PM To: ejb...@li...; Randy Yu Subject: Re: [Ejbca-develop] EJBCA ocsp verification error In EJBCA 6 there is no ocsp keys directory, you create a crypto token, issue a csr to the CA, and import the issued certificate. Cheers, Tomas On 19 september 2014 16:53:14 CEST, Randy Yu <yu...@ec...> wrote: >Thanks Tomas. > >If we are using a Luna HSM hard token, I believe we have to create a >PKCS11 key as the PKCS12 is only for soft tokens? Also, when >attempting to create a PKCS11 key for the specific CA, we issue the >following command but are unsure how to retrieve the actual key to >store in the ocsp keys directory. > >./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate >/usr/lunasa/lib/libCryptoki2.so 2048 test 1 > > >-----Original Message----- >From: Tomas Gustavsson [mailto:to...@pr...] >Sent: September-11-14 10:35 AM >To: ejb...@li... >Subject: Re: [Ejbca-develop] EJBCA ocsp verification error > > >If you want to set up an OCSP responder, separate from the CA you need >an OCSP Signer private key and certificate. > >Cheers, >Tomas > >On 2014-09-11 16:01, Randy Yu wrote: >> Some more information to add to this. The CA we import to the EJBCA >6 instance is a public key from a hard token signed CA. With the >public key imported to EJBCA 6, would the issuer name hash be carried >over or is this a possible reason why it is unable to be found? >> >> Also with this EJBCA 6 ocsp responder instance we are trying to >setup, we are trying to use this same imported CA to do the CRL >download service, we are unable to complete the "polulating the ocsp >responder database" steps since the CDP editing option is unavailable: >> >> Admin GUI -> Certification Authorities -> "Edit CA" for the imported >> CA -> Configure an external CDP where the CA makes its CRLs available > >> (must begin with "http://") >> >> Thanks. >> -----Original Message----- >> From: Randy Yu [mailto:yu...@ec...] >> Sent: September-09-14 11:04 AM >> To: ejb...@li... >> Subject: Re: [Ejbca-develop] EJBCA ocsp verification error >> >> Thanks Branko. >> >> The error differs when using OpenSSL ocsp command: >> >> 22:47:24,929 INFO >[org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] >(http--0.0.0.0-8080-3) Received OCSP request for certificate with >serNo: 4391e01e01561076, and issuerNameHash: >1381ab5168453c9d28d2288f76020542ac6f556c. Client ip a.a.a.a. >> 22:47:24,945 INFO >[org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] >(http--0.0.0.0-8080-3) Unable to find CA certificate by issuer name >hash: 1381ab5168453c9d28d2288f76020542ac6f556c, using the default >responder to send 'UnknownStatus'. >> >> This occurs even if I provide the subca.pem with the -issuer switch. >> >> -----Original Message----- >> From: Branko Majic [mailto:br...@ma...] >> Sent: September-08-14 1:26 PM >> To: ejb...@li... >> Subject: Re: [Ejbca-develop] EJBCA ocsp verification error >> >> On September 8, 2014 6:43:43 PM CEST, Randy Yu <yu...@ec...> >wrote: >>> Here is the ocsp request from OpenSSL in base64 format. I'm not >sure >>> how to achieve the same thing with CertUtil as I don't see an option > >>> like OpenSSL has -reqout switch. >>> >>> Thanks. >>> >> >> Hm... Do you get the same error when using the OpenSSL ocsp tool? >That is a tool that I commonly use for testing our installations, and >it usually works flawlessly (both EJBCA and the tool). >> -- >> Branko Majic >> Jabber: br...@ma... >> Please use only Free formats when sending attachments to me. >> >> Бранко Мајић >> Џабер: br...@ma... >> Молим вас да додатке шаљете искључиво у слободним форматима. >> >> >---------------------------------------------------------------------- >> -------- >> Want excitement? >> Manually upgrade your production database. >> When you want reliability, choose Perforce Perforce version control. >Predictably reliable. >> >http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg. >> clktrk _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >---------------------------------------------------------------------- >> -------- >> Want excitement? >> Manually upgrade your production database. >> When you want reliability, choose Perforce. >> Perforce version control. Predictably reliable. >> >http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg. >> clktrk _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >---------------------------------------------------------------------- >> -------- >> Want excitement? >> Manually upgrade your production database. >> When you want reliability, choose Perforce Perforce version control. >> Predictably reliable. >> >http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg. >> clktrk _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > >------------------------------------------------------------------------------ >Want excitement? >Manually upgrade your production database. >When you want reliability, choose Perforce Perforce version control. >Predictably reliable. >http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk >_______________________________________________ >Ejbca-develop mailing list >Ejb...@li... >https://lists.sourceforge.net/lists/listinfo/ejbca-develop >------------------------------------------------------------------------------ >Slashdot TV. Video for Nerds. Stuff that Matters. >http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk >_______________________________________________ >Ejbca-develop mailing list >Ejb...@li... >https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
