Menu
▾
▴
Re: [Ejbca-develop] Fwd: OCSP and External CA
|
From: Marc P. <liv...@gm...> - 2017-02-14 08:23:01
|
Hi Thomas, thanks a lot for the answer. I was able to use the Internal Key Binding with a certiifcate issued from the Root CA on my EJBCA instance and was able to verify the SubCA certificate. Best Regards Marc Pailloux 2017-02-01 17:47 GMT+01:00 Tomas Gustavsson <to...@pr...>: > > Hi Marc, > > If you send an OCSP request asking for status of the Sub CA certificate, > it should be answered by the Root CA. In order for the Root CA to > answer, it needs to have an OCSP Key Binding, and an OCSP signing > certificate issued by the Root CA (or asking a responder directly on the > Root CA server). > > In order to get proper OCSP reponses from the Sub CA repsonder you > should query about status of a leaf certificate issued by the Sub CA. > > Cheers, > Tomas > --- > RSA Conference 2017 > ------------------------------------------------------------------ > San Francisco | February 13-17 | Moscone Center > Come visit us in booth #627 at RSA Conference 2017! > > Want a free expo pass? > Go to https://www.rsaconference.com/events/us17/register > and use the code: XE7PRMKEY > > On 2017-01-31 14:10, Marc Pailloux wrote: > > > > > > Hello, > > > > I have an interrogation about OCSP and the way it works with an > > External Root CA. > > > > I use the default OCSP with the CA (no external OCSP responder). > > My CA architecture is a Root CA genereted on another EJBCA > > instance, that signed the SubCA installed on the instance doing also the > > OCSP. > > I created a user certificate for the test under that SubCA. > > > > I imported back the root public CA as an external Certificate, > > so here is what I have as CAs: > > Images intégrées 1 > > > > > > However, when i try to use OCSP on a reverse proxy, I have an > > error message on the EJBCA logs : > > 13:28:16,136 INFO > > [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] > > (http--0.0.0.0-18080-6) Received OCSP request for certificate with > > serNo: 3e3bb7fa6bbbe5ae, and issuerNameHash: > > f644d454ac3dd1cf400698318b5b8357afafad7c. Client ip 192.168.91.5. > > 13:28:16,139 ERROR > > [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] > > (http--0.0.0.0-18080-6) Unable to find CA certificate by issuer name > > hash: f644d454ac3dd1cf400698318b5b8357afafad7c, or even the default > > responder: . > > > > This certificate is the SubCA certificate. > > > > For what I understand about OCSP and EJBCA, it means that the > > SubCA certificate was not registered on the CA hash table and cannot be > > found. Any reason for that ? > > I tried a configuration were the root CA is on the same instance > > and it works perfectly but it is not my desired architecture. > > > > Thanks for the help > > > > Best Regards > > > > Marc Pailloux > > > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
