openssl ocsp Responder Error: unauthorized (6)

Question

I want to verify whether the Apple p12 certificate is revoked.

Verify through OpenSSL, but the failure rate

Responder Error: unauthorized (6)

openssl s_client -connect ocsp.apple.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-------END/p' > cert.pem

openssl s_client -showcerts -connect ocsp.apple.com:443 < /dev/null 2>&1 | sed -n '/-----BEGIN/,/-----END/p' > chain.pem

openssl x509 -noout -ocsp_uri -in cert.pem


openssl ocsp -issuer chain.pem -cert cert.pem -text -url http://ocsp.apple.com/ocsp03-apevsecc1g101 -header "HOST" "ocsp.apple.com"
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 99A13D5E339D6899F2F62D3449CA0FB7AD56A71D
          Issuer Key Hash: 45F2A8DA2EF4DD5AE49E079E4B7B289B3BB20B31
          Serial Number: 5E652F93666E7A5B3966551A0C167BAA
    Request Extensions:
        OCSP Nonce: 
            0410AB2982A627A49BA9AC9E06A9C4FE28B2
Responder Error: unauthorized (6)

Did you ever figure this out? – Parsa Yazdani May 22 '22 at 16:24 — Parsa Yazdani, May 22 '22 at 16:24

score 3 · Answer 1 · edited Feb 22 '22 at 19:36

3

chain.pem can only contain the intermediate and root certificates. The way you invoked openssl it brought in the entire chain. So: remove your certificate from chain.pem and try again.

edited Feb 22 '22 at 19:36

Stefan van den Akker

6,661
7
48
63

answered Nov 20 '21 at 01:18

user1558670

31
2

Richard.Wrinkle · Answer 2 · 2022-11-08T06:09:38.880

For what it's worth (or future instances) here was my solution:

Note: I was sending the response to a Microsoft OCSP responder.

Fix: I had to define the -CAfile and -no_nonce parameters.

openssl ocsp -no_nonce -issuer ca_chain.cer -CAfile ca_chain.cer -cert test.cer -text -url http://ocsp.myorg.com/ocsp

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 555D0C30ACDDA1D39CAFB5C0B33BD73475C903D8
          Issuer Key Hash: 3E8B5EE3BF6D026D69F3005CCE08BE60C245F3EE
          Serial Number: 3E002C0FFFDA2BE9708A43E3270000002C0FFF
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C012856C236D6AA6EC5F835AC25F17EBECB8BC10
    Produced At: Nov  8 05:36:39 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 555D0C30ACDDA1D39CAFB5C0B33BD73475C903D8
      Issuer Key Hash: 3E8B5EE3BF6D026D69F3005CCE08BE60C245F3EE
      Serial Number: 3E002C0FFFDA2BE9708A43E3270000002C0FFF
    Cert Status: revoked
    Revocation Time: Oct 27 21:26:12 2022 GMT
    Revocation Reason: cessationOfOperation (0x5)
    This Update: Nov  8 00:50:02 2022 GMT
    Next Update: Nov  8 17:10:02 2022 GMT

openssl ocsp Responder Error: unauthorized (6)

2 Answers2