[Ejbca-develop] Fwd: OCSP and External CA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

        Hello,

        I have an interrogation about OCSP and the way it works with an
External Root CA.

        I use the default OCSP with the CA (no external OCSP responder).
        My CA architecture is a Root CA genereted on another EJBCA
instance, that signed the SubCA installed on the instance doing also the
OCSP.
        I created a user certificate for the test under that SubCA.

        I imported back the root public CA as an external Certificate, so
here is what I have as CAs:
[image: Images intégrées 1]

        However, when i try to use OCSP on a reverse proxy, I have an error
message on the EJBCA logs :
            13:28:16,136 INFO  [org.cesecore.certificates.ocsp.
OcspResponseGeneratorSessionBean] (http--0.0.0.0-18080-6) Received OCSP
request for certificate with serNo: 3e3bb7fa6bbbe5ae, and issuerNameHash:
f644d454ac3dd1cf400698318b5b8357afafad7c. Client ip 192.168.91.5.
            13:28:16,139 ERROR [org.cesecore.certificates.ocsp.
OcspResponseGeneratorSessionBean] (http--0.0.0.0-18080-6) Unable to find CA
certificate by issuer name hash: f644d454ac3dd1cf400698318b5b8357afafad7c,
or even the default responder: .

This certificate is the SubCA certificate.

        For what I understand about OCSP and EJBCA, it means that the SubCA
certificate was not registered on the CA hash table and cannot be found.
Any reason for that ?
        I tried a configuration were the root CA is on the same instance
and it works perfectly but it is not my desired architecture.

        Thanks for the help

        Best Regards

        Marc Pailloux