I did some experiments with the OpenSSL OCSP responder. Everything works right, if I use the CA certificate and the CA key (!) as rsigner/rkey for OpenSSL OCSP:
Code: Select all
openssl ocsp -index index.txt -port 4444 -CA /etc/openvpn/pki/ca.crt -rsigner /etc/openvpn/pki /ca.crt -rkey /home/offline-ca/easyrsa/private/ca.key
Enter pass phrase for private/ca.key:
My question is, what are the requirements for an OpenSSL OCSP responder rsigner/rkey? I tried other keys, created with easyrsa. The problem is, that OpenVPN always shows an error with rsigner/rkey files other then the CA certificate and key:
Code: Select all
openssl ocsp -index index.txt -port 4444 -CA ca.crt -rsigner issued/ocsp-test.crt -rkey private/oscp-test.key
Code: Select all
Nov 21 22:37:33 cecilia openvpn[14201]: Validating certificate extended key usage
Nov 21 22:37:33 cecilia openvpn[14201]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Nov 21 22:37:33 cecilia openvpn[14201]: VERIFY EKU OK
Nov 21 22:37:33 cecilia openvpn[14201]: WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
Nov 21 22:37:33 cecilia openvpn[14201]: VERIFY SCRIPT ERROR: depth=0, CN=mybox.example.com
Nov 21 22:37:33 cecilia openvpn[14201]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Nov 21 22:37:33 cecilia openvpn[14201]: TLS_ERROR: BIO read tls_read_plaintext error
Nov 21 22:37:33 cecilia openvpn[14201]: TLS Error: TLS object -> incoming plaintext read error
Nov 21 22:37:33 cecilia openvpn[14201]: TLS Error: TLS handshake failed
Nov 21 22:37:33 cecilia openvpn[14201]: SIGUSR1[soft,tls-error] received, process restarting
Code: Select all
tls-verify /etc/openvpn/pki/OCSP_check.sh
script-security 2
Code: Select all
ocsp_url="http://localhost:4444/"
issuer="/etc/openvpn/pki/ca.crt"
verify="/etc/openvpn/pki/ca.crt"
Code: Select all
ocsp_url="http://localhost:4444/"
issuer="/etc/openvpn/pki/ca.crt"
verify="/home/offline-ca/easyrsa/private/ca.key"