This is a discussion on ocsp response verify failure - Openssl ; It was reported to me that one of our certificates is not verifying via OCSP (it gets an 'unauthorized answer'), so I am trying to determine what is causing that. I grabbed one cert and the root bundle and did ...
It was reported to me that one of our certificates is not verifying via
OCSP (it gets an 'unauthorized answer'), so I am trying to determine
what is causing that.
I grabbed one cert and the root bundle and did the following:
openssl ocsp -CA IPS-IPSCABUNDLE.CRT -issuer IPS-IPSCABUNDLE.CRT -cert
/tmp/cert -url http://ocsp.ipsca.com/ -resp_text
This resulted in the cert being spit out, and then this at the bottom:
Response Verify Failure
14370:error:27069070:OCSP routines:OCSP_basic_verify:root ca not
This Update: Jun 2 17:21:38 2008 GMT
Next Update: Jun 9 17:21:38 2008 GMT
Does this mean that the OCSP response is good?
How can I get the root CA error resolved? I wasn't sure if the CA and
the issuer should be the same in this case? The file I was using is a
bundle file intermediate and root cert (from
Finally, is there a simpler command I can use, perhaps with openssl
s_client to do the ocsp check with the values presented in the
certificate's extensions (such as where the OCSP url is, etc.), rather
than having to download them all and try and piece them together
OpenSSL Project http://www.openssl.org
User Support Mailing List email@example.com
Automated List Manager firstname.lastname@example.org