Why does firefox show me an invalid OCSP signing certificate in OCSP response?
I want to open a page in Firefox but it is showing an error in the form of invalid OCSP signing certificate. What can I do now?
I read a blog about OCSP which made me understand that OCSP stands for Online Certificate Status Protocol and is used by Certificate Authorities to check the revocation status of an X.509 digital certificate. In this blog we answer some of the most common questions about OCSP including how it works, the roles of certificate authorities and certificate validation authorities, and how to check certificates via a CRL.
If you are shown an invalid OCSP signing certificate in OCSP response, it may be due to the OCSP-cert having expired. Certificate:
Data: Version: 3 (0x2)
Serial Number: 132 (0x84)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=NL, O=Digidentity B.V., CN=Digidentity Services CA - G2
Validity
Not Before: Sep 20 10:40:55 2012 GMT
Not After : Sep 10 10:40:55 2014 GMT
Subject: C=NL, O=Digidentity B.V., CN=Digidentity OCSPCode I used these three commands:
$ openssl s_client -connect www.acm.nl:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > acm.pem
$ openssl s_client -connect www.acm.nl:443 -showcerts /dev/null > chain.pembundle
$ openssl ocsp -issuer chain.pembundle -cert acm.pem -url $(openssl x509 -noout -ocsp_uri -in acm.pem)
Response Verify Failure
2676036:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:certificate has expired
acm.pem: ERROR: No Status found.More Detail
Use this instead of third command for more detail:
$ openssl ocsp -issuer chain.pembundle -cert acm.pem -text -url $(openssl x509 -noout -ocsp_uri -in acm.pem)
Link
I copied the commands from here: https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html