It was reported to me that one of our certificates is not verifying via
OCSP (it gets an 'unauthorized answer'), so I am trying to determine
what is causing that.

I grabbed one cert and the root bundle and did the following:

openssl ocsp -CA IPS-IPSCABUNDLE.CRT -issuer IPS-IPSCABUNDLE.CRT -cert
/tmp/cert -url http://ocsp.ipsca.com/ -resp_text

This resulted in the cert being spit out, and then this at the bottom:

Response Verify Failure
14370:error:27069070:OCSP routines:OCSP_basic_verify:root ca not
trustedcsp_vfy.c:148:
/tmp/cert: good
This Update: Jun 2 17:21:38 2008 GMT
Next Update: Jun 9 17:21:38 2008 GMT

Does this mean that the OCSP response is good?

How can I get the root CA error resolved? I wasn't sure if the CA and
the issuer should be the same in this case? The file I was using is a
bundle file intermediate and root cert (from
http://certs.ipsca.com/companyIPSips...PSCABUNDLE.CRT).

Finally, is there a simpler command I can use, perhaps with openssl
s_client to do the ocsp check with the values presented in the
certificate's extensions (such as where the OCSP url is, etc.), rather
than having to download them all and try and piece them together
properly?

Thanks!
Micah
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org