Comments on: OCSP verification with OpenSSL

By: waldner

waldner — Wed, 24 Jul 2013 07:51:17 +0000

In reply to Tmt. Thanks, that has to be considered if doing the verification programmatically.

By: Tmt

Tmt — Tue, 23 Jul 2013 17:45:25 +0000

You need to check also for presence of:

Response verify OK

A response that is signed by unknown signature will still have the

0x0f: good

line

By: helmut

helmut — Wed, 31 Oct 2012 11:18:29 +0000

Very helpful article, saved me a lot of time, thanks.
Just a remark to the final note:
openssl can handle a proxy server
instead of -url http://ocspserver
just use
-host proxy:port -path http://ocspserver

By: waldner

waldner — Thu, 17 Mar 2011 17:20:07 +0000

In reply to Nicolae. As I wrote, "index.txt" is the index file that OpenSSL creates when the CA is set up, and updates every time the CA signs or revokes a certificate. It contains the list of certificates signed or revoked by the CA. Its location is configured either on the command line, or in the openssl.cnf file (or equivalent): database = $dir/index.txt # index file. in the [ ca ] or [ CA_default ] sections. I believe that if you've just set up the CA, the file will be empty. As soon as you sign or revoke certificates, entries will be added by OpenSSL. Note that this assumes a more or less conventional CA setup using OpenSSL (eg, using CA.pl); if you are using a different setup, you have to adapt it to your configuration.

By: Nicolae

Nicolae — Thu, 17 Mar 2011 11:55:18 +0000

Could you please tell me how can I generate the "index.txt" (-index index.txt)? It's only an empty text file?