Ultimately, I am trying to configure an ocsp server on ubuntu 20.4, but I cannot even verify any certs issued by my intermediate CA yet.
I have configured a ca-root called ca-root.mydomain.org. I also have configured a intermediate ca called ca-sub.mydomain.org. Finally, there is my future ocsp server, ocsp-server.mydomain.org.
First, I make a self-signed cert ca_root_cert_file. Then I have the ca-root sign a cert for ca-sub.mydomain.org, ca_sub_cert_file. I then create a cert chain pem file "sub-chain.pem". It contains the sub-ca cert, then the ca-root cert, in that order.
Next, I then copy both ca_root_cert_file and ca_sub_cert_file to a "$CA_ROOTS_HASHES_DIR" directory, and copy all the root certs in /etc/ssl/certs there as well. I run the openssl utility c_rehash -v "$CA_ROOTS_HASHES_DIR". I expect I can now use this as the argument for the -CApaths parameter of openssl verify.
Next, I have the ca-sub sign a cert for ocsp-server.mydomain.org. I then create a cert chain pem file "ocsp_signer_chain.pem". It contains the ocsp-server cert, the sub-ca cert, then the ca-root cert, in that order. I don't expect to need this ocsp_signer_chain.pem, but I have it.
I can use openssl verify to verify ca_sub_cert_file:
`openssl verify -verbose -show_chain -CApath "$CA_ROOTS_HASHES_DIR" "$ca_sub_cert_file"`
OK
Chain:
depth=0: C = US, ST = California, L = Pacifica, O = Mydomain, CN = ca-sub.mydomain.org (untrusted)
depth=1: C = US, ST = California, L = Pacifica, O = Mydomain, CN = ca-root.mydomain.org, emailAddress = [email protected]
But I can't verify ocsp-server_cert_file. I always get error 20 at 0 depth lookup: unable to get local issuer certificate.
I've tried CAfile with sub-chain.pem vs. ocsp_signer_chain.pem vs. -CApath "$CA_ROOTS_HASHES_DIR".
I've tried with and without -untrusted "$ca_sub_cert_file"
openssl verify -verbose -show_chain -CApath "$CA_ROOTS_HASHES_DIR" -untrusted "$ca_sub_cert_file" "$ocsp-server_cert_file"`
C = US, ST = California, L = Pacifica, O = Mydomain, CN = ocsp-signer.mydomain.org
error 20 at 0 depth lookup: unable to get local issuer certificate
error ocsp.mydomain.org_ocspserver_ocsp-signing.crt: verification failed
What am I doing wrong? I've been searching for days, but the answers I've found all end with using CApath or CAfile
I'm surprised that even when verifying ca_sub_cert_file, openssl reports "ca-sub.mydomain.org (untrusted)" I expected that having the cert in CA_ROOTS_HASHES_DIR would make it trusted. :/
My ca-conf files work for self-signing and signing ca-sub, that leads me to think that it is not a conf problem. However, I have already learned that it is easy to make conf files that are wrong, with no warning from openssl.
Here are my conf files at GITHUB
Here is the ca_extensions section of both ca.conf files.
[ ca_extensions ]
basicConstraints = critical, CA:true
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://ca-root.mydomain.org/crl/mydomain.crl.pem
authorityInfoAccess = OCSP;URI:http://ca-root.mydomain.org:8083
