Hi!
I tried to set up OCSP stapling and had some surprises to overcome:
I think the supplied script "ocsp_fetch.pl" will fail in many cases following
the included help.
I took the openssl command it issues ...
# openssl ocsp -issuer <PEM> -cert <PEM> -url <OCSP-URL> -CAfile <PEM> \
-respout <file>
and experimented until it worked for all of my certificates. Things I noticed
for openssl 1.0.1+:
*) -CAfile is of no use/help. -VAfile is correct to verify the OCSP response
*) some OCSP servers need an undocumented "-header Host <hostname>"
option to get through to the correct virtual host (eg. globaltrust)
404 Forbidden response otherwise
*) some OCSP servers answer with the response certificate to use for -VAfile
verification. (eg. alphassl/globalsign. I used -text first to get it.
*) for many OCSP servers it is sufficient to use the "-issuer" cert for
"-VAfile" as well to verify the response.
Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> |
http://www.blafasel.at/
Vienna University Computer Center | Austria
