Re: [Ejbca-develop] Fwd: OCSP and External CA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Marc,

If you send an OCSP request asking for status of the Sub CA certificate,
it should be answered by the Root CA. In order for the Root CA to
answer, it needs to have an OCSP Key Binding, and an OCSP signing
certificate issued by the Root CA (or asking a responder directly on the
Root CA server).

In order to get proper OCSP reponses from the Sub CA repsonder you
should query about status of a leaf certificate issued by the Sub CA.

Cheers,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!

Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
and use the code: XE7PRMKEY

On 2017-01-31 14:10, Marc Pailloux wrote:
> 
> 
>         Hello,
> 
>         I have an interrogation about OCSP and the way it works with an
> External Root CA.
> 
>         I use the default OCSP with the CA (no external OCSP responder).
>         My CA architecture is a Root CA genereted on another EJBCA
> instance, that signed the SubCA installed on the instance doing also the
> OCSP.
>         I created a user certificate for the test under that SubCA.
> 
>         I imported back the root public CA as an external Certificate,
> so here is what I have as CAs:
> Images intégrées 1
> 
> 
>         However, when i try to use OCSP on a reverse proxy, I have an
> error message on the EJBCA logs :
>             13:28:16,136 INFO 
> [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean]
> (http--0.0.0.0-18080-6) Received OCSP request for certificate with
> serNo: 3e3bb7fa6bbbe5ae, and issuerNameHash:
> f644d454ac3dd1cf400698318b5b8357afafad7c. Client ip 192.168.91.5.
>             13:28:16,139 ERROR
> [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean]
> (http--0.0.0.0-18080-6) Unable to find CA certificate by issuer name
> hash: f644d454ac3dd1cf400698318b5b8357afafad7c, or even the default
> responder: .
> 
> This certificate is the SubCA certificate.
> 
>         For what I understand about OCSP and EJBCA, it means that the
> SubCA certificate was not registered on the CA hash table and cannot be
> found. Any reason for that ?
>         I tried a configuration were the root CA is on the same instance
> and it works perfectly but it is not my desired architecture.
> 
>         Thanks for the help
> 
>         Best Regards
> 
>         Marc Pailloux
> 
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> 
> 
> 
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 