Open Roydon opened 4 years ago
Hello, it seems that the OCSP certificate you are creating is not signed by the intermediate CA:
cfssl gencert -ca=server/server.pem -ca-key=server/server-key.pem -config=config.json -profile="ocsp" ocsp.csr.json |cfssljson -bare ocsp/ocsp
...should be something like:
cfssl gencert -ca=intermediateCA/intermediateCA.pem -ca-key=intermediateCA/intermediateCA-key.pem -config=config.json -profile="ocsp" ocsp.csr.json |cfssljson -bare ocsp/ocsp
HTH
cfssl gencert -ca=intermediateCA/intermediateCA.pem -ca-key=intermediateCA/intermediateCA-key.pem -config=config.json -profile="ocsp" ocsp.csr.json |cfssljson -bare ocsp/ocsp
I generated new certificate for ocsp, but still get 8100
Certificate not issued by this issuer
root@cfssl-7dd777fd46-v5rq2:/# cfssl ocsprefresh -db-config /config/db-connect.json -ca intermediateCA.pem -responder /cert/ocsp.pem -responder-key /cert/ocsp-key.pem
2020/04/28 19:08:41 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"}
{"code":8100,"message":"Certificate not issued by this issuer"}
and same for rootCA.pem
root@cfssl-7dd777fd46-v5rq2:/# cfssl ocsprefresh -db-config /config/db-connect.json -ca rootCA.pem -responder /cert/ocsp.pem -responder-key /cert/ocsp-key.pem
2020/04/28 19:12:00 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"}
{"code":8100,"message":"Certificate not issued by this issuer"}
cfssl gencert -ca=intermediateCA/intermediateCA.pem -ca-key=intermediateCA/intermediateCA-key.pem -config=config.json -profile="ocsp" ocsp.csr.json |cfssljson -bare ocsp/ocsp
I generated new certificate for ocsp, but still get
8100
Certificate not issued by this issuerroot@cfssl-7dd777fd46-v5rq2:/# cfssl ocsprefresh -db-config /config/db-connect.json -ca intermediateCA.pem -responder /cert/ocsp.pem -responder-key /cert/ocsp-key.pem 2020/04/28 19:08:41 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"} {"code":8100,"message":"Certificate not issued by this issuer"}
and same for
rootCA.pem
root@cfssl-7dd777fd46-v5rq2:/# cfssl ocsprefresh -db-config /config/db-connect.json -ca rootCA.pem -responder /cert/ocsp.pem -responder-key /cert/ocsp-key.pem 2020/04/28 19:12:00 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"} {"code":8100,"message":"Certificate not issued by this issuer"}
i got the same error
I too am encountering this error and hope it's just an oversight on my part--
cfssl version Version: dev Runtime: go1.14.6
I created my ocsp cert and keys with the following:
cfssl gencert -db-config /demo/cfssl/db-pg.json -ca /demo/certs/intermediate.pem -ca-key /demo/certs/intermediate-key.pem -config /demo/cfssl/config_ca.json -profile="ocsp" ocsp.csr.json|cfssljson -bare server-ocsp -
2020/08/05 00:35:17 [INFO] generate received request 2020/08/05 00:35:17 [INFO] received CSR 2020/08/05 00:35:17 [INFO] generating key: rsa-2048 2020/08/05 00:35:17 [INFO] encoded CSR 2020/08/05 00:35:17 [INFO] signed certificate with serial number 62732961794845646156039024224657849033563651957 2020/08/05 00:35:17 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
Then I attempt ocsprefresh with:
cfssl ocsprefresh -db-config /demo/cfssl/db-pg.json -ca /demo/certs/intermediate.pem -responder /demo/ocsp/server-ocsp.pem -responder-key /demo/ocsp/server-ocsp-key.pem
2020/08/05 00:35:46 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"} {"code":8100,"message":"Certificate not issued by this issuer"}
If i look at the ocsp cert with certinfo, I see the issuer is indeed the intermediate that I expect. Some other things about my setup, in case it helps:
cfssl-ocsp systemd: `[Unit] Description=CloudflareSSL OCSP Responder After=network.target StartLimitIntervalSec=0
[Service] Type=simple Restart=always RestartSec=5 User=demouser ExecStart=/demo/go/bin/cfssl ocspserve -address=0.0.0.0 -port=8889 -db-config=/demo/cfssl/db-pg.json -loglevel=0 -ca-key=/demo/certs/intermediate-key.pem -ca=/demo/certs/intermediate.pem -config=/demo/certs/config_ca.json -responder=/demo/ocsp/server-ocsp.pem -responder-key=/demo/ocsp/server-ocsp-key.pem
[Install] WantedBy=multi-user.target`
What did I miss here?
Hi All, @Roydon @crungruang @bubbleatgit @jmhodges
Were you able to get past this? I am also stuck at the same thing.
2021/11/03 22:11:09 [CRITICAL] Unable to sign OCSP response: {"code":8100,"message":"Certificate not issued by this issuer"}
{"code":8100,"message":"Certificate not issued by this issuer"}
Not duplicating the steps but they are same as mentioned on this git issue.
Thank you, Arpan
Hi, It appears cfssl serving ocsp information from the database supports only a single responder certificate as signed by the ocsprefresh command. This implies all certificates in the database must be issued by the same CA that issued the specified responder certificate.
Storing any other certificate, such as the intermediate certificate, in the database and performing a cfssl ocsprefresh will result in the {"code":8100,"message":"Certificate not issued by this issuer"} error as the intermediate certificate is issued by the root or higher level CA which did not issue the OCSP signing certificate specified in the ocsprefresh command.
Use separate databases for each CA/sub-CA for storing issued certificates. Run separate ocspserve instances for each database. Update the configuration to reflect the unique OCSP URL endpoint for each CA/sub-CA issued certificates.
I setup cfssl following part1, part2 & part3
Here is every command I use :
Then I was able to start
cfssl
with following commandcfssl serve -db-config=/config/db-connect.json -ca=/cert/server.pem -ca-key=/cert/server-key.pem -config=/config/config.json -responder=/cert/ocsp.pem -responder-key=/cert/ocsp-key.pem -address=0.0.0.0
with this config
from cfssl logs confirmed it started ok:
I created first certificate
then revoked it using its serial & authority key id
When I try to do
ocsprefresh
I get8100
Certificate not issued by this issuerAlso tried with
server.pem
and got8200
x509: invalid signature: parent certificate cannot sign this kind of certificateand with
rootCA.pem
and got8100
Certificate not issued by this issuerWhats I am missing here ?