OCSP Response Signed by other CA

Mike DiBella mike at dibella.net
Thu Oct 31 19:09:49 CET 2019

In testing my OCSP responder configuration I've found that the following openssl command:

openssl ocsp -issuer client_cer_root.cer -cert client.cer -VAfile ocsp_signer.cer -url http://ocsp.responder.net/ocsp


Response verify OK
client.cer: good
        This Update: Oct 31 11:43:47 2019 GMT
        Next Update: Nov  2 00:03:47 2019 GMT

I see that there is a client keyword in the verify section of the eap configuration file.   I'm wondering if I can I substitute this command for the default openssl verify command prototyped in the file?

In my testing, it looks like openssl returns exit 0 for both verified and responder errors, so I'm wondering how freeradius parses the result of the command.

From: Mike DiBella
Sent: Wednesday, October 30, 2019 3:08 PM
To: 'freeradius-users at lists.freeradius.org' <freeradius-users at lists.freeradius.org>
Subject: OCSP Response Signed by other CA

I'm attempting to add OCSP certificate verification to EAP, but my responder hosts multiple CAs and signs the responses with a cert common to all.   I think freeradius is assuming that the signer of the OCSP response will be the same as the signer of the client certificate, and I can't see an option to override this behavior.   I've already tried concatenating the OCSP signer to the client trust certificate file, but freeradius still fails validation with "Error: rlm_eap: SSL error error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted".   Any ideas?

More information about the Freeradius-Users mailing list