Verifying a certificate with Verisign OCSP Server

I'm attempting to use Verisign's OCSP server to verify a certificate that it has issued, for example, amazon.com

I have the issuer certificate (which was rather hard to find). As well as the amazon 0 certificate. I'm using openSSL but I don't seem to be able to get the right OCSP responder certificate to verify the response.

openssl ocsp -issuer test4-May2009Oc2010.cer -CAfile veri-ssp-intermediate-ca.crt -nonce -cert amazon0.crt -url http://ocsp.verisign.com

And this is the response:

WARNING: no nonce in response
Response Verify Failure
140735084268796:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate
amazon0.crt: good
    This Update: Jan 19 00:24:56 2011 GMT
    Next Update: Jan 26 00:24:56 2011 GMT

Any suggestions as to where the correct certificate for the OCSP responder might actually be?

标签： openssl verisign

1条回答

【Aperson】

2楼-- · 2019-06-16 17:12

You don't need the OCSP responder cert. Your OCSP request worked and you got back your answer: the cert (amazon0.crt) is good, not revoked. The line "no nonce in response" is due to the fact that VeriSign's OCSP responder doesn't send back nonces (due to the large volume of certs it must handle, VeriSign pre-signs the responses and therefore cannot include nonces - it adheres to RFC 5019). You can use -no_nonce to avoid sending a nonce.

To get rid of the "Response Verify Failure" error message, I added the intermediate CA to my CAfile (in your case it's called veri-ssp-intermediate-ca.crt). Here's what I added:

Once I did that, I got:

Response verify OK
0x25F5D12D5E6F0BD4EAF2A2C966F3B4CE: good
        This Update: Jan 19 00:24:56 2011 GMT
        Next Update: Jan 26 00:24:56 2011 GMT

0人赞添加讨论(0) 举报

Verifying a certificate with Verisign OCSP Server

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间