Fw: Error: unable to get local issuer certificate!!! - Openssl

This is a discussion on Fw: Error: unable to get local issuer certificate!!! - Openssl ; Hi All, Please provide any solution for error: Response Verify Failure 11114:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error csp_vfy.c:122:Verify error:unable to get local issuer certificate resolve.pem: unknown This Update: Sep 8 16:38:27 2008 GMT more description is provided in below mail Advance Thanks ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Fw: Error: unable to get local issuer certificate!!!

  1. Fw: Error: unable to get local issuer certificate!!!

    Hi All,

    Please provide any solution for
    error:
    Response Verify Failure
    11114:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify errorcsp_vfy.c:122:Verify error:unable to get local issuer certificate
    resolve.pem: unknown
    This Update: Sep 8 16:38:27 2008 GMT

    more description is provided in below mail

    Advance Thanks & Regards,
    Shivakumar

    ----- Original Message -----
    From: Shivakumar Balur
    To: openssl-users@openssl.org
    Sent: Thursday, September 11, 2008 6:43 PM
    Subject: Error: unable to get local issuer certificate!!!


    Hi,

    Mail is quite big with description. please read through and help me.

    Below are the configuration and execution done for OCSP request and response.

    *what is the reason for error?
    * what is the solution for error?


    Any reply is appreciated.


    I have provided even folder structure because, error related to "unable to get local issuer certificate".
    Folder structure: certifiacte/CACERT/demoCA

    CLIENT:
    executed at certificate/

    Root key generated: openssl genrsa -out rootkey.pem 1024

    root self-signed certificate: openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout rootkey.pem -out rootcert.pem

    request generated: openssl req -nodes -days 365 -newkey rsa:1024 -keyout reqkey.pem -out reqreq.pem

    issuing: openssl x509 -days 365 -CA rootcert.pem -CAkey rootkey.pem -req -CAcreateserial -CAserial ca.srl -in reqreq.pem -out resolve.pem

    Request sent: openssl ocsp -issuer rootcert.pem -cert resolve.pem -url http://xxx.xxx.xx.xxx:8888 -resp_text -respout resp.der

    error:
    Response Verify Failure
    11114:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify errorcsp_vfy.c:122:Verify error:unable to get local issuer certificate
    resolve.pem: unknown
    This Update: Sep 8 16:38:27 2008 GMT
    ----------------------------------------------------------------------
    RESPONDER:
    Folder structure: certifiacte/CACERT/demoCA/private/firstkey.pem
    certifiacte/CACERT/demoCA/certs
    certifiacte/CACERT/demoCA/index.txt
    certifiacte/CACERT/demoCA/cacert.pem

    1. Created folder(CACERT)
    2. copied CA.pl from( /usr/lib/ssl/misc/CA.pl) into CACERT.
    3. copied openssl.cnf from (/usr/lib/ssl/openssl.cnf ) into CACERT.

    executed: ./CA.pl -newca (creates demoCA folder which consist index.txt file,cacert.pem file, private folder,certs folder,newcerts folder and etc..)

    key generated at demoCA/private/: openssl genrsa -out firstkey.pem 1024

    request generated /demoCA/certs/: openssl req -new -key demoCA/private/firstkey.pem -out req1.pem

    (renamed req1.pem as newreq.pem)
    now execute-> ./CA.pl -sign (newcert.pem is created)

    Responder:
    openssl ocsp -index demoCA/index.txt -port 8888 -rsigner newcert.pem -rkey demoCA/private/first.key -CA demoCA/cacert.pem -text -out log.txt


    Advance Thanks & Regards,
    Shivakumar Balur


  2. Re: Fw: Error: unable to get local issuer certificate!!!

    Shivakumar Balur escribió:
    > Hi All,
    >
    > Please provide any solution for
    > error:
    > Response Verify Failure
    > 11114:error:27069065:OCSP routines:OCSP_basic_verify:certificate
    > verify errorcsp_vfy.c:122:Verify error:*unable to get local issuer
    > certificate*
    > resolve.pem: unknown
    > This Update: Sep 8 16:38:27 2008 GMT
    >
    > more description is provided in below mail
    >
    > Advance Thanks & Regards,
    > Shivakumar
    >
    > ----- Original Message -----
    > *From:* Shivakumar Balur
    > *To:* openssl-users@openssl.org penssl-users@openssl.org>
    > *Sent:* Thursday, September 11, 2008 6:43 PM
    > *Subject:* Error: unable to get local issuer certificate!!!
    >
    > Hi,
    >
    > Mail is quite big with description. please read through and help me.
    >
    > Below are the configuration and execution done for OCSP request and
    > response.
    >
    > *what is the reason for error?
    > * what is the solution for error?
    >
    >
    > Any reply is appreciated.
    >
    >
    > I have provided even folder structure because, error related to
    > "unable to get local issuer certificate".
    > *Folder structure: certifiacte/CACERT/demoCA*
    >
    > *CLIENT: *
    > *executed at certificate/*
    >
    > *Root key generated:* openssl genrsa -out *rootkey.pem* 1024
    >
    > *root self-signed certificate: *openssl req -x509 -nodes -days 365
    > -newkey rsa:1024 -keyout* rootkey.pem* -out *rootcert.pem*
    >
    > *request generated:* openssl req -nodes -days 365 -newkey rsa:1024
    > -keyout *reqkey.pem* -out *reqreq.pem*
    >
    > *issuing:* openssl x509 -days 365 -CA *rootcert.pem* -CAkey*
    > rootkey.pem* -req -CAcreateserial -CAserial ca.srl -in *reqreq.pem*
    > -out *resolve.pem*
    >
    > * Request sent:* openssl ocsp -issuer *rootcert.pem* -cert*
    > resolve.pem* -url http://xxx.xxx.xx.xxx:8888 -resp_text -respout
    > *resp.der*
    >
    > error:
    > Response Verify Failure
    > 11114:error:27069065:OCSP routines:OCSP_basic_verify:certificate
    > verify errorcsp_vfy.c:122:Verify error:*unable to get local issuer
    > certificate*
    > resolve.pem: unknown
    > This Update: Sep 8 16:38:27 2008 GMT
    > ----------------------------------------------------------------------
    > *RESPONDER:*
    > *Folder structure: certifiacte/CACERT/demoCA/private/firstkey.pem*
    > *certifiacte/CACERT/demoCA**/certs*
    > *certifiacte/CACERT/demoCA/index.txt*
    > *certifiacte/CACERT/demoCA/cacert.pem*
    >
    > 1. Created folder(*CACERT)*
    > 2. copied CA.pl from(* /usr/lib/ssl/misc/CA.pl*) into *CACERT.*
    > 3. copied openssl.cnf from *(/usr/lib/ssl/openssl.cnf* ) into *CACERT*.
    >
    > *executed:* ./CA.pl -newca (creates *demoCA *folder which consist
    > index.txt file,cacert.pem file, private folder,certs folder,newcerts
    > folder and etc..)
    >
    > *key generated at demoCA/private/:* openssl genrsa -out
    > *firstkey.pem* 1024
    >
    > *request generated /demoCA/certs/: * openssl req -new -key
    > *demoCA/private/firstkey.pem* -out *req1.pem*
    >
    > (renamed req1.pem as newreq.pem)
    > *now execute->* ./CA.pl -sign (newcert.pem is created)
    >
    > *Responder:*
    > openssl ocsp -index *demoCA/index.txt* -port 8888 -rsigner
    > *newcert.pem* -rkey *demoCA/private/first.key* -CA *demoCA/cacert.pem*
    > -text -out log.txt
    >
    >
    > Advance Thanks & Regards,
    > Shivakumar Balur
    >

    Try this:

    openssl ocsp -issuer *rootcert.pem* -cert* resolve.pem* -url
    http://xxx.xxx.xx.xxx:8888 -CAfile rootcert.pem -resp_text -respout
    *resp.der

    you haven't put CA certificate into request. That is an idea from a newbie
    *
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread