Ultimately, I am trying to configure an ocsp server on ubuntu 20.4, but I cannot even verify any certs issued by my intermediate CA yet.
I have configured a ca-root called ca-root.mydomain.org. I also have configured a intermediate ca called ca-sub.mydomain.org. Finally, there is my future ocsp server, ocsp-server.mydomain.org.
First, I make a self-signed cert ca_root_cert_file. Then I have the ca-root sign a cert for ca-sub.mydomain.org, ca_sub_cert_file. I then create a cert chain pem file “sub-chain.pem”. It contains the sub-ca cert, then the ca-root cert, in that order.
Next, I then copy both ca_root_cert_file and ca_sub_cert_file to a “$CA_ROOTS_HASHES_DIR” directory, and copy all the root certs in
/etc/ssl/certs there as well. I run the openssl utility
c_rehash -v "$CA_ROOTS_HASHES_DIR". I expect I can now use this as the argument for the
-CApaths parameter of
Next, I have the ca-sub sign a cert for ocsp-server.mydomain.org. I then create a cert chain pem file “ocsp_signer_chain.pem”. It contains the ocsp-server cert, the sub-ca cert, then the ca-root cert, in that order. I don’t expect to need this ocsp_signer_chain.pem, but I have it.
I can use openssl verify to verify ca_sub_cert_file:
`openssl verify -verbose -show_chain -CApath "$CA_ROOTS_HASHES_DIR" "$ca_sub_cert_file"` OK Chain: depth=0: C = US, ST = California, L = Pacifica, O = Mydomain, CN = ca-sub.mydomain.org (untrusted) depth=1: C = US, ST = California, L = Pacifica, O = Mydomain, CN = ca-root.mydomain.org, emailAddress = email@example.com
But I can’t verify ocsp-server_cert_file. I always get
error 20 at 0 depth lookup: unable to get local issuer certificate.
I’ve tried CAfile with sub-chain.pem vs. ocsp_signer_chain.pem vs.
I’ve tried with and without
openssl verify -verbose -show_chain -CApath "$CA_ROOTS_HASHES_DIR" -untrusted "$ca_sub_cert_file" "$ocsp-server_cert_file"` C = US, ST = California, L = Pacifica, O = Mydomain, CN = ocsp-signer.mydomain.org error 20 at 0 depth lookup: unable to get local issuer certificate error ocsp.mydomain.org_ocspserver_ocsp-signing.crt: verification failed
What am I doing wrong? I’ve been searching for days, but the answers I’ve found all end with using CApath or CAfile
I’m surprised that even when verifying ca_sub_cert_file, openssl reports “ca-sub.mydomain.org (untrusted)” I expected that having the cert in CA_ROOTS_HASHES_DIR would make it trusted. :/