On Wed, Feb 4, 2009 at 8:04 PM, Robert Relyea <rrel...@redhat.com> wrote: > Ahnjoan Amous wrote: >> >> I'm attempting configuration of mod_nss to use an OCSP responder. My >> OCSP responder uses a self signed certificate (call it OCSPcert) to >> sign responses, my web server uses a certificate (call it SERVERcert) >> signed by a trusted CA (call it CA1cert). I also have a second >> trusted CA (call it CA2cert) that has issued my client certificates >> (CLIENTcert). > >> >> I'm experiencing the following behavior >> >> Certificate not verified: 'Server-Cert' >> SSL Library Error: -8062 The signer of the OCSP response is not \ >> authorized to give status for this certificate >> Unable to verify certificate 'Server-Cert'. Add \ >> "NSSEnforceValidCerts off" to nss.conf so the server can start \ >> until the problem can be resolved. >> >> >> A packet capture shows that a sucessful OCSP attempt is made to verify \ >> the servers certificate. Then a second OCSP attempt is made to verify >> \ >> the first client certificate and once that fails never tries again. >> The following show up in the apache error log for each user attempt to \ >> view a web page. >> Bad remote server certificate: -8071 >> SSL Library Error: -8071 The OCSP server experienced an internal error >> SSL Library Error: -8071 The OCSP server experienced an internal error >> >> Any suggestions on how to fix this would be greatly appreciated. >> > > 1.Don't use a self-signed cert for your OCSP responder. > > OCSP responses need to be signed by a trusted certificate. That certificate > can be trusted in the following ways: > 1) The OCSP repsonse is signed by the CA that issued the certificate you are > validating. > 2) The OCSP response is signed by a certificate that is used by the same CA > that issued the certificate you are validating with the appropriate OCSP > extension in the certificate. > 3) The OCSP response is signed by a certificate issued by a central OCSP > service which you have explicitly selected. > > #3 is fairly rare, and is usually used by certain services which sell OCSP > validation to corporations. In this case you also explicitly configure your > OCSP responder. I don't know how this can be configured in mod_nss. There > was a feature in the browser to configure this, I don't know if it still > works. > > In general, you place an OCSP AIA extension in your certificate at issuance > time. You probably want separate responders for each CA (otherwise your > responder will have to have code to choose the correct OCSP certificate to > use based the the certificate you are giving the response for). Sign your > OCSP certificate with the CA which is issuing certificates your responser is > reporting on. Make sure that certificate has the appropriate OCSP > extensions. > > bob
Unfortunately I don't have a choice as to what OCSP responder or signing certificate the responses are signed with. I do have hope that mod_nss works in my environment because another user posted to BigAdmin (http://www.sun.com/bigadmin/content/submitted/ocsp_apache_mod_nss.jsp) that mod_nss works in OUR environment. If anyone has any other suggestion on where I am going wrong I would really appreciate it. Thanks Ahnjoan -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
