Re: [Ejbca-develop] Getting "Verify error:unable to get local issuer certificate" when test against EJBCA OCSP responder with multiple CAs/CRLs

[Jaime H. <hab...@gm...>]

On Wed, Jun 26, 2019 at 10:28 AM ohaya--- via Ejbca-develop <
ejb...@li...> wrote:

> Hi,
>
> Ok, I found that adding "-VAfile" and pointing that to the SIGNING
> CERTIFICATE, seems to make the error go away. I am not 100% why that needs
> to be added when sending an OCSP request for a cert issued by one CA (the
> SimpleAuthorityCA), but the "-VAfile" is not needed for OCSP request for a
> cert in the simpleca CA??
>
>
It is because the expected signer for OCSP responses depends on the
certificate you are requesting status for. Quoting from RFC 6960, "2.2.
Response":

All definitive response messages SHALL be digitally signed. The key
> used to sign the response MUST belong to one of the following:
> - the CA who issued the certificate in question
> - a Trusted Responder whose public key is trusted by the requestor
> - a CA Designated Responder (Authorized Responder, defined in
> Section 4.2.2.2) who holds a specially marked certificate issued
> directly by the CA, indicating that the responder may issue OCSP
> responses for that CA


So, when you request status for a certificate issued by "SimpleAuthorityCA"
you are against a response that is not signed by the "the CA who issued the
certificate in question" nor a "a CA Designated Responder who holds a
specially marked certificate issued
directly by the CA" so you are left only with the "Trusted Responder whose
public key is trusted by the requestor" and there is where the openssl ocsp
"-VAfile" option applies. From "man ocsp":

-VAfile file
>     File containing explicitly trusted responder certificates.