It was reported to me that one of our certificates is not verifying via
OCSP (it gets an 'unauthorized answer'), so I am trying to determine
what is causing that.

I grabbed one cert and the root bundle and did the following:

/tmp/cert -url -resp_text

This resulted in the cert being spit out, and then this at the bottom:

Response Verify Failure
14370:error:27069070:OCSP routines:OCSP_basic_verify:root ca not
/tmp/cert: good
This Update: Jun 2 17:21:38 2008 GMT
Next Update: Jun 9 17:21:38 2008 GMT

Does this mean that the OCSP response is good?

How can I get the root CA error resolved? I wasn't sure if the CA and
the issuer should be the same in this case? The file I was using is a
bundle file intermediate and root cert (from

Finally, is there a simpler command I can use, perhaps with openssl
s_client to do the ocsp check with the values presented in the
certificate's extensions (such as where the OCSP url is, etc.), rather
than having to download them all and try and piece them together

__________________________________________________ ____________________
OpenSSL Project
User Support Mailing List
Automated List Manager