Hi,

Mail is quite big with description. please read through and help me.

Below are the configuration and execution done for OCSP request and response.

*what is the reason for error?
* what is the solution for error?


Any reply is appreciated.


I have provided even folder structure because, error related to "unable to get local issuer certificate".
Folder structure: certifiacte/CACERT/demoCA

CLIENT:
executed at certificate/

Root key generated: openssl genrsa -out rootkey.pem 1024

root self-signed certificate: openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout rootkey.pem -out rootcert.pem

request generated: openssl req -nodes -days 365 -newkey rsa:1024 -keyout reqkey.pem -out reqreq.pem

issuing: openssl x509 -days 365 -CA rootcert.pem -CAkey rootkey.pem -req -CAcreateserial -CAserial ca.srl -in reqreq.pem -out resolve.pem

Request sent: openssl ocsp -issuer rootcert.pem -cert resolve.pem -url http://xxx.xxx.xx.xxx:8888 -resp_text -respout resp.der

error:
Response Verify Failure
11114:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify errorcsp_vfy.c:122:Verify error:unable to get local issuer certificate
resolve.pem: unknown
This Update: Sep 8 16:38:27 2008 GMT
----------------------------------------------------------------------
RESPONDER:
Folder structure: certifiacte/CACERT/demoCA/private/firstkey.pem
certifiacte/CACERT/demoCA/certs
certifiacte/CACERT/demoCA/index.txt
certifiacte/CACERT/demoCA/cacert.pem

1. Created folder(CACERT)
2. copied CA.pl from( /usr/lib/ssl/misc/CA.pl) into CACERT.
3. copied openssl.cnf from (/usr/lib/ssl/openssl.cnf ) into CACERT.

executed: ./CA.pl -newca (creates demoCA folder which consist index.txt file,cacert.pem file, private folder,certs folder,newcerts folder and etc..)

key generated at demoCA/private/: openssl genrsa -out firstkey.pem 1024

request generated /demoCA/certs/: openssl req -new -key demoCA/private/firstkey.pem -out req1.pem

(renamed req1.pem as newreq.pem)
now execute-> ./CA.pl -sign (newcert.pem is created)

Responder:
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner newcert.pem -rkey demoCA/private/first.key -CA demoCA/cacert.pem -text -out log.txt


Advance Thanks & Regards,
Shivakumar Balur