ocsprefresh 8100 Certificate not issued by this issuer

I setup cfssl following part1, part2 & part3

Here is every command I use :

root@2e4741a2f4dc:/certs# cfssl genkey -initca rootCA.csr.json |cfssljson -bare rootCA/rootCA
2020/04/25 12:41:20 [INFO] generate received request
2020/04/25 12:41:20 [INFO] received CSR
2020/04/25 12:41:20 [INFO] generating key: ecdsa-256
2020/04/25 12:41:20 [INFO] encoded CSR
2020/04/25 12:41:20 [INFO] signed certificate with serial number 346108995851250272398841978321708234425639934551

root@2e4741a2f4dc:/certs# cfssl gencert -ca=rootCA/rootCA.pem -ca-key=rootCA/rootCA-key.pem -config=config.json -profile=intermediate intermediateCA.csr.json |cfssljson -bare intermediateCA/intermediateCA
2020/04/25 16:25:53 [INFO] generate received request
2020/04/25 16:25:53 [INFO] received CSR
2020/04/25 16:25:53 [INFO] generating key: ecdsa-256
2020/04/25 16:25:53 [INFO] encoded CSR
2020/04/25 16:25:54 [INFO] signed certificate with serial number 715552985888621395857351072814540407944033757973

root@2e4741a2f4dc:/certs# cfssl gencert -ca=intermediateCA/intermediateCA.pem -ca-key=intermediateCA/intermediateCA-key.pem -config=config.json -profile=server server.csr.json |cfssljson -bare server/server
2020/04/25 16:27:14 [INFO] generate received request
2020/04/25 16:27:14 [INFO] received CSR
2020/04/25 16:27:14 [INFO] generating key: ecdsa-256
2020/04/25 16:27:14 [INFO] encoded CSR
2020/04/25 16:27:14 [INFO] signed certificate with serial number 74981091603180865792373455117871469360090455285

root@2e4741a2f4dc:/certs# cfssl gencert -ca=server/server.pem -ca-key=server/server-key.pem -config=config.json -profile="ocsp" ocsp.csr.json |cfssljson -bare ocsp/ocsp
2020/04/25 17:08:35 [INFO] generate received request
2020/04/25 17:08:35 [INFO] received CSR
2020/04/25 17:08:35 [INFO] generating key: ecdsa-256
2020/04/25 17:08:35 [INFO] encoded CSR
2020/04/25 17:08:35 [INFO] signed certificate with serial number 11353461959819268503452347225812683251727140087
2020/04/25 17:08:35 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
root@2e4741a2f4dc:/certs#

Then I was able to start cfssl with following command cfssl serve -db-config=/config/db-connect.json -ca=/cert/server.pem -ca-key=/cert/server-key.pem -config=/config/config.json -responder=/cert/ocsp.pem -responder-key=/cert/ocsp-key.pem -address=0.0.0.0

with this config

{
  "signing": {
    "default": {
      "ocsp_url": "http://localhost:8889",
      "crl_url": "http://localhost:8888/api/v1/cfssl/crl",
      "expiry": "26280h"
    },
    "profiles": {
      "intermediate": {
        "expiry": "43800h",
        "usages": [
          "signing",
          "key encipherment",
          "cert sign",
          "crl sign"
        ],
        "ca_constraint": {
          "is_ca": true,
          "max_path_len": 1
        }
      },
      "ocsp": {
        "usages": [
          "digital signature",
          "ocsp signing"
        ],
        "expiry": "26280h"
      },
      "serverCA": {
        "expiry": "43800h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "cert sign",
          "crl sign"
        ]
      },
      "server": {
        "expiry": "43800h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth"
        ]
      },
      "client": {
        "expiry": "43800h",
        "usages": [
          "signing",
          "key encipherment",
          "client auth",
          "email protection"
        ]
      }
    }
  }
}

from cfssl logs confirmed it started ok:

2020/04/24 22:12:55 [INFO] Initializing signer
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/authsign' is enabled
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/crl' is enabled
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/ocspsign' is enabled
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/revoke' is enabled
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled
2020/04/24 22:12:55 [INFO] setting up key / CSR generator
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/sign' is enabled
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/info' is enabled
2020/04/24 22:12:55 [INFO] bundler API ready
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/health' is enabled
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled
2020/04/24 22:12:55 [INFO] endpoint '/api/v1/cfssl/scan' is enabled
2020/04/24 22:12:55 [INFO] endpoint '/' is enabled
2020/04/24 22:12:55 [INFO] Handler set up complete.
2020/04/24 22:12:55 [INFO] Now listening on 0.0.0.0:8888

I created first certificate

root@2e4741a2f4dc:/# curl -X POST -d '{"request":{"CN":"client1","hosts":[""],"key":{"algo":"ecdsa","size":256},"names":[{"C":"US","ST":"New York","L":"New York","O":"Org Inc."}]},"profile":"client"}' http://cfssl:8888/api/v1/cfssl/newcert
{"success":true,"result":{"certificate":"-----BEGIN CERTIFICATE-----\nMI...0fwsmi\n-----END CERTIFICATE-----\n","certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMI...Z5ziA==\n-----END CERTIFICATE REQUEST-----\n","private_key":"-----BEGIN EC PRIVATE KEY-----\nMH...X1RA==\n-----END EC PRIVATE KEY-----\n","sums":{"certificate":{"md5":"C2E1B310ED09B66DE8B94AFE83B59485","sha-1":"2668E6EDB1BBBF37FB0BEEEFB943F4B87CEF7164"},"certificate_request":{"md5":"264434FC9E535DB3FA498543D7C54BD7","sha-1":"B67ABA18B1ABEF8DB53BF165414849E2112BE537"}}},"errors":[],"messages":[]}

then revoked it using its serial & authority key id

root@2e4741a2f4dc:/# curl -d '{"serial": "409984530187880490216791808790648856076231093235","authority_key_id":"58f009c89da3a068ad7c3e64de718f05569ba59d","reason":"superseded"}' cfssl:8888/api/v1/cfssl/revoke
{"success":true,"result":{},"errors":[],"messages":[]}

When I try to do ocsprefresh I get 8100 Certificate not issued by this issuer

root@cfssl-7dd777fd46-j7692:/# cfssl ocsprefresh -db-config /config/db-connect.json -ca intermediateCA.pem -responder /cert/ocsp.pem -responder-key /cert/ocsp-key.pem
2020/04/25 20:31:53 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"}
{"code":8100,"message":"Certificate not issued by this issuer"}
root@cfssl-7dd777fd46-j7692:/#

Also tried with server.pem and got 8200 x509: invalid signature: parent certificate cannot sign this kind of certificate

root@cfssl-7dd777fd46-j7692:/# cfssl ocsprefresh -db-config /config/db-connect.json -ca server.pem -responder /cert/ocsp.pem -responder-key /cert/ocsp-key.pem
2020/04/25 20:33:28 [CRITICAL] Unable to sign OCSP response: {"code":8200,"message":"x509: invalid signature: parent certificate cannot sign this kind of certificate"}
{"code":8200,"message":"x509: invalid signature: parent certificate cannot sign this kind of certificate"}
root@cfssl-7dd777fd46-j7692:/#

and with rootCA.pem and got 8100 Certificate not issued by this issuer

root@cfssl-7dd777fd46-j7692:/# cfssl ocsprefresh -db-config /config/db-connect.json -ca rootCA.pem -responder /cert/ocsp.pem -responder-key /cert/ocsp-key.pem
2020/04/25 20:34:16 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"}
{"code":8100,"message":"Certificate not issued by this issuer"}
root@cfssl-7dd777fd46-j7692:/#

Whats I am missing here ?

Hello, it seems that the OCSP certificate you are creating is not signed by the intermediate CA: cfssl gencert -ca=server/server.pem -ca-key=server/server-key.pem -config=config.json -profile="ocsp" ocsp.csr.json |cfssljson -bare ocsp/ocsp ...should be something like: cfssl gencert -ca=intermediateCA/intermediateCA.pem -ca-key=intermediateCA/intermediateCA-key.pem -config=config.json -profile="ocsp" ocsp.csr.json |cfssljson -bare ocsp/ocsp

HTH

cfssl gencert -ca=intermediateCA/intermediateCA.pem -ca-key=intermediateCA/intermediateCA-key.pem -config=config.json -profile="ocsp" ocsp.csr.json |cfssljson -bare ocsp/ocsp

I generated new certificate for ocsp, but still get 8100 Certificate not issued by this issuer

root@cfssl-7dd777fd46-v5rq2:/# cfssl ocsprefresh -db-config /config/db-connect.json -ca intermediateCA.pem -responder /cert/ocsp.pem -responder-key /cert/ocsp-key.pem
2020/04/28 19:08:41 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"}
{"code":8100,"message":"Certificate not issued by this issuer"}

and same for rootCA.pem

root@cfssl-7dd777fd46-v5rq2:/# cfssl ocsprefresh -db-config /config/db-connect.json -ca rootCA.pem -responder /cert/ocsp.pem -responder-key /cert/ocsp-key.pem
2020/04/28 19:12:00 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"}
{"code":8100,"message":"Certificate not issued by this issuer"}

cfssl gencert -ca=intermediateCA/intermediateCA.pem -ca-key=intermediateCA/intermediateCA-key.pem -config=config.json -profile="ocsp" ocsp.csr.json |cfssljson -bare ocsp/ocsp

I generated new certificate for ocsp, but still get 8100 Certificate not issued by this issuer

root@cfssl-7dd777fd46-v5rq2:/# cfssl ocsprefresh -db-config /config/db-connect.json -ca intermediateCA.pem -responder /cert/ocsp.pem -responder-key /cert/ocsp-key.pem
2020/04/28 19:08:41 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"}
{"code":8100,"message":"Certificate not issued by this issuer"}

and same for rootCA.pem

root@cfssl-7dd777fd46-v5rq2:/# cfssl ocsprefresh -db-config /config/db-connect.json -ca rootCA.pem -responder /cert/ocsp.pem -responder-key /cert/ocsp-key.pem
2020/04/28 19:12:00 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"}
{"code":8100,"message":"Certificate not issued by this issuer"}

i got the same error

I too am encountering this error and hope it's just an oversight on my part-- cfssl version Version: dev Runtime: go1.14.6

I created my ocsp cert and keys with the following: cfssl gencert -db-config /demo/cfssl/db-pg.json -ca /demo/certs/intermediate.pem -ca-key /demo/certs/intermediate-key.pem -config /demo/cfssl/config_ca.json -profile="ocsp" ocsp.csr.json|cfssljson -bare server-ocsp -

2020/08/05 00:35:17 [INFO] generate received request 2020/08/05 00:35:17 [INFO] received CSR 2020/08/05 00:35:17 [INFO] generating key: rsa-2048 2020/08/05 00:35:17 [INFO] encoded CSR 2020/08/05 00:35:17 [INFO] signed certificate with serial number 62732961794845646156039024224657849033563651957 2020/08/05 00:35:17 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").

Then I attempt ocsprefresh with: cfssl ocsprefresh -db-config /demo/cfssl/db-pg.json -ca /demo/certs/intermediate.pem -responder /demo/ocsp/server-ocsp.pem -responder-key /demo/ocsp/server-ocsp-key.pem

2020/08/05 00:35:46 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"} {"code":8100,"message":"Certificate not issued by this issuer"}

If i look at the ocsp cert with certinfo, I see the issuer is indeed the intermediate that I expect. Some other things about my setup, in case it helps:

using Postgres 11.6
CFSSL 1.4
Go 1.14.6

cfssl-ocsp systemd: `[Unit] Description=CloudflareSSL OCSP Responder After=network.target StartLimitIntervalSec=0

[Service] Type=simple Restart=always RestartSec=5 User=demouser ExecStart=/demo/go/bin/cfssl ocspserve -address=0.0.0.0 -port=8889 -db-config=/demo/cfssl/db-pg.json -loglevel=0 -ca-key=/demo/certs/intermediate-key.pem -ca=/demo/certs/intermediate.pem -config=/demo/certs/config_ca.json -responder=/demo/ocsp/server-ocsp.pem -responder-key=/demo/ocsp/server-ocsp-key.pem

[Install] WantedBy=multi-user.target`

What did I miss here?

Hi All, @Roydon @crungruang @bubbleatgit @jmhodges

Were you able to get past this? I am also stuck at the same thing.

2021/11/03 22:11:09 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"}
{"code":8100,"message":"Certificate not issued by this issuer"}

Not duplicating the steps but they are same as mentioned on this git issue.

Thank you, Arpan

Hi, It appears cfssl serving ocsp information from the database supports only a single responder certificate as signed by the ocsprefresh command. This implies all certificates in the database must be issued by the same CA that issued the specified responder certificate.

Storing any other certificate, such as the intermediate certificate, in the database and performing a cfssl ocsprefresh will result in the {"code":8100,"message":"Certificate not issued by this issuer"} error as the intermediate certificate is issued by the root or higher level CA which did not issue the OCSP signing certificate specified in the ocsprefresh command.

Use separate databases for each CA/sub-CA for storing issued certificates. Run separate ocspserve instances for each database. Update the configuration to reflect the unique OCSP URL endpoint for each CA/sub-CA issued certificates.

cloudflare / cfssl

ocsprefresh 8100 Certificate not issued by this issuer #1105