Re: [Ejbca-develop] Problem processing OCSP Requests

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

 Also, FYI, here is the response I get when I test the OCSP request using "openssl ocsp":
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: DD109D9D80B22984C50240DF37F6C75E70E2DEDD
          Issuer Key Hash: BC0F770B8DA3B38543C2369366AC02A977C33D52
          Serial Number: 3732
    Request Extensions:
        OCSP Nonce:
            04109186E755667555C98040988194088E5D
Responder Error: unauthorized (6)

NOTICE the "Responder Error: unauthorized (6)" error. 

I have even deleted the CA from EJBCA OCSP responder and then re-imported that CA's cert and the latest CRL and I am still getting the same error.
Thanks,Jim

    On Tuesday, July 30, 2019, 4:37:49 PM UTC, oh...@ya... <oh...@ya...> wrote:  

 Hi,
I am circling back and trying to do some OCSP response testing with the EJBCA OCSP responder, but when I run "openssl ocsp" testing, I am getting an error (from the EJBCA logging):
16:25:35,230 INFO  [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] (default task-7) Received OCSP request for certificate with serNo: 3a1b, and issuerNameHash: dd109d9d80b22984c50240df37f6c75e70e2dedd. Client ip 192.168.xx.yy.
16:25:35,236 ERROR [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] (default task-7) Unable to find CA certificate by issuer name hash: dd109d9d80b22984c50240df37f6c75e70e2dedd, or even the default responder: CN=xxxx.

I think that I have that CA imported into EJBCA and also the latest CRL.

Is there a way to find out what that issuer name that it is looking for from the "issuer name hash"?  

I'm guessing there probably isn't, so how can I debug why it is not able to find the CA (and CRL from that CA) in EJBCA?
Thanks,Jim