OCSP invalidation of intermediate CA using OCSP_SIGNING
I'm implementing an OCSP server to answer OCSP requests for my custom CA.
I already implemented the invalidation of leaves certificates, with the intermediate CA certificate signing the OCSP response, and it seems to be working.
However, I have troubles implementing the OCSP response to invalidate a intermediate certificate. I believe this is a bad idea to use the root certificate to sign the OCSP response, therefore I was looking at the OCSP delegation of authority defined in RFC 6960. I have generated, using my root certificate, a certificate which I believe to be able to sign OCSP responses for OCSP requests about the other intermediate certificates :
Data:
Version: 3 (0x2)
... //redacted
X509v3 extensions:
X509v3 Key Usage: critical
CRL Sign
X509v3 Basic Constraints: critical
CA:FALSE
OCSP No Check: critical
X509v3 Extended Key Usage:
OCSP Signing
Let's call this certificate X
However, when I challenge my OCSP server with a request, openssl gives me the following answer :
$ openssl ocsp -issuer /tmp/ca-root -cert /tmp/inter -text -url http://127.0.0.1:5000/1/ocsp-inter/
...
Response Verify Failure
139690508489984:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:crypto/ocsp/ocsp_vfy.c:40:
139690508489984:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:crypto/ocsp/ocsp_vfy.c:40:
/tmp/inter: ERROR: No Status found.
What am I missing ?
If I select the certificate X for the -issuer switch of openSSL it works, but it feels wrong.
I also had a look at the AIA extensions, and I'm unsure if the CA_ISSUER field should point to the root-ca, or to my certificate X
Thanks in advance helping me understand this
