• caglararli@hotmail.com
  • 05386281520

OCSP invalidation of intermediate CA using OCSP_SIGNING

Çağlar Arlı      -    5 Views

OCSP invalidation of intermediate CA using OCSP_SIGNING

I'm implementing an OCSP server to answer OCSP requests for my custom CA.

I already implemented the invalidation of leaves certificates, with the intermediate CA certificate signing the OCSP response, and it seems to be working.

However, I have troubles implementing the OCSP response to invalidate a intermediate certificate. I believe this is a bad idea to use the root certificate to sign the OCSP response, therefore I was looking at the OCSP delegation of authority defined in RFC 6960. I have generated, using my root certificate, a certificate which I believe to be able to sign OCSP responses for OCSP requests about the other intermediate certificates :

Data:
    Version: 3 (0x2)
    ... //redacted
    X509v3 extensions:
        X509v3 Key Usage: critical
            CRL Sign
        X509v3 Basic Constraints: critical
            CA:FALSE

        OCSP No Check: critical

        X509v3 Extended Key Usage: 
            OCSP Signing

Let's call this certificate X

However, when I challenge my OCSP server with a request, openssl gives me the following answer :

$ openssl ocsp -issuer /tmp/ca-root -cert /tmp/inter -text -url http://127.0.0.1:5000/1/ocsp-inter/
...
Response Verify Failure
139690508489984:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:crypto/ocsp/ocsp_vfy.c:40:
139690508489984:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:crypto/ocsp/ocsp_vfy.c:40:
/tmp/inter: ERROR: No Status found.

What am I missing ? If I select the certificate X for the -issuer switch of openSSL it works, but it feels wrong.

I also had a look at the AIA extensions, and I'm unsure if the CA_ISSUER field should point to the root-ca, or to my certificate X

Thanks in advance helping me understand this