------=_Part_12205_17112808.1193676501830
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi,

I have been trying for a couple of days now to test an OCSP responder, but I
am having problems getting the openssl OCSP client to send the OCSP requests
to the OCSP responder listed in the certificate's AIA. If I use the -url
option with openssl ocsp command, then it will generate the OCSP request,
send the request to the URI and decode and print the results. Here is a
sample command:

openssl ocsp -issuer /tmp/cacert.pem -cert /tmp/bruce-cert.pem -text
-CAfile /tmp/cacert.pem -url http://192.168.0.185:80

This works!

I would have thought that if I remove the -url option from the command then
openssl would send the OCSP request to the list of OCSP responders in the
Authority Information Access (AIA) extension. Well, it does not. Instead
it just prints out the request and exits. I have tried various options
without success. I have read the man page many times and did some google
searches without finding anything that works. I am sure I am overlooking
the obvious.

The certificate's AIA looks like this (excerpt from openssl x509 -noout
-text -in /tmp/bruce-cert.pem)
Authority Information Access:
OCSP - URI:http://server1:80
OCSP - URI:http://server2:80
OCSP - URI:http://server3:80


Is there a way to get openssl ocsp to send OCSP requests to the list of OCSP
responders from the certificate's AIA?

I am running this on Fedora Core 7. The version is:
OpenSSL>
OpenSSL> version
OpenSSL 0.9.8b 04 May 2006
OpenSSL> quit



Bruce

------=_Part_12205_17112808.1193676501830
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi,

I have been trying for a couple of days now to test an OCSP responder, but I am having problems getting the openssl OCSP client to send the OCSP requests to the OCSP responder listed in the certificate's AIA.  If I use the -url option with openssl ocsp command,  then it will generate the OCSP request, send the request to the URI and decode and print the results.  Here is a sample command:


openssl ocsp -issuer /tmp/cacert.pem -cert /tmp/bruce-cert.pem -text  -CAfile /tmp/cacert.pem -url http://192.168.0.185:80

This works!

I would have thought that if I remove the -url option from the command then openssl would send the OCSP request to the list of OCSP responders in the Authority Information Access (AIA) extension.  Well, it does not.  Instead it just prints out the request and exits.   I have tried various options without success.  I have read the man page many times and did some google searches without finding anything that works.  I am sure I am overlooking the obvious.


The certificate's AIA looks like this (excerpt from openssl x509 -noout -text -in /tmp/bruce-cert.pem)
            Authority Information Access:
                OCSP - URI:http://server1:80

                OCSP - URI:http://server2:80
                OCSP - URI:http://server3:80


Is there a way to get openssl ocsp to send OCSP requests to the list of OCSP responders from the certificate's AIA?


I am running this on Fedora Core 7.  The version is:
OpenSSL>
OpenSSL> version
OpenSSL 0.9.8b 04 May 2006
OpenSSL> quit



Bruce


------=_Part_12205_17112808.1193676501830--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org