Why do I get Verify error:unable to get local issuer certificate when I run openssl ocsp?

About

Asked 17/1, 2017 at 16:9 Answered 10/7, 2018 at 19:20

ssl openssl ssl-certificate client-certificates ocsp

I'm trying to validate a client certificate on an OCSP server but it fails.

This is the command that I'm trying to run:

openssl ocsp -issuer test_ca_cert.pem -cert my_test_client_cert.pem -text -url http://demo.server.com/ocsp

This is the output:

OCSP Request Data:
...
OCSP Response Data:
....
Certificate:
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Response Verify Failure
140530622551704:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:138:Verify error:unable to get local issuer certificate
my_test_client_cert.pem: good
    This Update: Jan 17 15:56:46 2017 GMT

I checked that the Issuer in my client cert is the same as the one in test_ca_cert.pem.

What am I doing wrong? How can I fix this?

Thank you

Mahan answered 17/1, 2017 at 16:9 Comment(4)

Maybe you need to add -CAfile with the trusted certificated. They are used to verify the signature of the ocsp response – Commendation 17/1, 2017 at 17:35

Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User or Unix & Linux Stack Exchange would be a better place to ask. Also see Where do I post questions about Dev Ops? – Mcknight 17/1, 2017 at 23:27

Ok. Thank you. I did not know that this was offtopic. Sorry for the confusion :D – Mahan 18/1, 2017 at 9:24

@Mahan : are these PEM files created using the openssl command? Once the OCSP response is received, the responder ID's cert shall be validated against the trusted store to see if it is present , otherwise the above error is returned. I would recommend adding -verify_other test_ca_cert.pem to your request and see if the response verification fails or not. – Pertain 12/5, 2017 at 7:27

Using -CAfile as @pedrofb suggested worked for me, but neither with the root nor with the intermediate certificate, but with the root and the intermediate bundled together (i.e. cat root.pem intermediate.pem > bundle.pem):

openssl ocsp                              \
    -CAfile root.cert.pem                 \
    -issuer intermediate.cert.pem         \
    -cert server.cert.pem                 \
    -text                                 \    
    -url http://ocsp.example.com

Toler answered 10/7, 2018 at 19:20 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags