Re: [Ejbca-develop] Getting "Verify error:unable to get local issuer certificate" when test against

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

 Hi,

I don't know if this helps pinpoint the problem, but FYI, if I included the "-no_cert_verify" in the command line, then that error didn't appear:

[root@ejbca SimpleAuthority-newdomain]# openssl ocsp -CAfile ./rootCA.crt -issuer ./rootCA.crt -no_cert_verify -serial 0x016b902b1b87 -req_text -url http://192.168.0.28:8080/ejbca/publicweb/status/ocsp
OCSP Request Data:
 Version: 1 (0x0)
 Requestor List:
 Certificate ID:
 Hash Algorithm: sha1
 Issuer Name Hash: 12238A5A4DCC9C6515D94132E4800DEBA1CE7004
 Issuer Key Hash: D9839F806222BC7BC0BC888DAC7C299E38D7BE8C
 Serial Number: 016B902B1B87
 Request Extensions:
 OCSP Nonce:
 0410AF8386B8F3AFA34F33F95FD0B735F88B
Response verify OK
0x016b902b1b87: revoked
 This Update: Jun 26 15:12:23 2019 GMT
 Reason: keyCompromise
 Revocation Time: Jun 25 19:55:51 2019 GMT

     On Wednesday, June 26, 2019, 10:46:11 AM EDT, <oh...@ya...> wrote:  

 Hi,

Per discussion in earlier thread, I have a single OCSP binding, and have CRLs from several external CAs imported into EJBCA OCSP Responder.

I test using "openssl ocsp" command, e.g.:

openssl ocsp -CAfile ./rootCA.crt -issuer ./rootCA.crt -serial 0x016b902b1b87 -req_text -url http://192.168.0.28:8080/ejbca/publicweb/status/ocsp

So I have two CAs/CRLs in the OCSP Responder, call them "simpleca" and "SimpleAuthorityCA"

The signing key in the OCSP binding is a cert issued by the "simpleca" CA.

So if I test sending an OCSP request to the EJBCA OCSP Responder, using the root CA cert from the "simpleca" CA, it works fine.

openssl ocsp -CAfile ./simpleca-rootCA.crt -issuer ./simpleca-rootCA.crt -serial 0x016b902b1b87 -req_text -url http://192.168.0.28:8080/ejbca/publicweb/status/ocsp

If I test using the CA cert for the "SimpleAuthorityCA":

openssl ocsp -CAfile ./SimpleAuthorityCA-rootCA.crt -issuer ./SimpleAuthorityCA-rootCA.crt -serial 0x016b902b1b87 -req_text -url http://192.168.0.28:8080/ejbca/publicweb/status/ocsp

I do get a CORRECT response, but that response also includes an error message "Verify error:unable to get local issuer certificate".  For example:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 12238A5A4DCC9C6515D94132E4800DEBA1CE7004
          Issuer Key Hash: D9839F806222BC7BC0BC888DAC7C299E38D7BE8C
          Serial Number: 016B902B1B87
    Request Extensions:
        OCSP Nonce:
            0410B030A87AB1C53A4906FED9F70F9D090F
Response Verify Failure
140511704516496:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:138:Verify error:unable to get local issuer certificate
0x016b902b1b87: revoked
        This Update: Jun 26 14:30:55 2019 GMT
        Reason: keyCompromise
        Revocation Time: Jun 25 19:55:51 2019 GMT

I have tried all combinations of combining the simpleca-rootCA.crt and the SimpleAuthorityCA-rootCA.crt for the -issuer and -CAfile, but I still keep getting that error.

I am actually not sure if that error is coming from the server side?  Or is it coming from the client/openssl side?

And, either way, how can I fix it so I don't get the error?

Thanks,
Jim

Re: [Ejbca-develop] Getting "Verify error:unable to get local issuer certificate" when test against

Re: [Ejbca-develop] Getting "Verify error:unable to get local issuer certificate" when test against EJBCA OCSP responder with multiple CAs/CRLs