[ipxe-devel] ipxe.org OSCP server check

Geert Stappers stappers at stappers.nl
Wed Nov 1 20:58:38 UTC 2023 

On Mon, Oct 30, 2023 at 08:47:31PM +0000, Geert Stappers via ipxe-devel wrote:
> On Mon, Sep 04, 2023 at 11:21:00AM +0000, Michael Brown via ipxe-devel wrote:
> > 
> > When using the openssl tools, you need to specify the iPXE root CA as the
> > root of trust in order to match iPXE's verification results.  For the ocsp
> > subcommand, the relevant option is "-CAfile".  For example:
> > 
> >   $ wget -q https://ca.ipxe.org/ca.crt
> >   $ wget -q https://ca.ipxe.org/cross-ca.crt
> >   $ wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt
> > 
> >   $ openssl ocsp -CAfile ca.crt -issuer ca.crt \
> >                  -cert cross-ca.crt \
> >                  -url http://ocsp.ipxe.org/ocsp/root/
> >   Response verify OK
> >   cross-ca.crt: good
> >           This Update: Sep  1 11:01:57 2023 GMT
> >           Next Update: Sep  4 11:22:25 2023 GMT
> > 
> >   $ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \
> >                  -cert cross-gts-root-r4.crt \
> >                  -url http://ocsp.ipxe.org/ocsp/cross/
> >   Response verify OK
> >   cross-digicert-assured-id-root-ca.crt: good
> >           This Update: Sep  1 11:02:47 2023 GMT
> >           Next Update: Sep  4 11:22:43 2023 GMT
> > 
> 
> Ah, thanks, for future "copy and paste":
> 
> --------8<---8<---8<-------
> 
> wget -q https://ca.ipxe.org/ca.crt
> wget -q https://ca.ipxe.org/cross-ca.crt
> wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt
> 
> ls -ltr  *.crt
> 
> openssl ocsp -CAfile ca.crt -issuer ca.crt \
>              -cert cross-ca.crt \
>              -url http://ocsp.ipxe.org/ocsp/root/
> 
> openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \
>              -cert cross-gts-root-r4.crt \
>              -url http://ocsp.ipxe.org/ocsp/cross/
> 
> echo rm *.crt
>  
> --------8<---8<---8<-------
> 
> Output I got today:
> 
> 
> -rw-r--r-- 1 stappers stappers 1383 18 mrt  2012 ca.crt
> -rw-r--r-- 1 stappers stappers 1229 29 feb  2016 cross-ca.crt
> -rw------- 1 stappers stappers 1180  1 okt 10:36 cross-gts-root-r4.crt
> Response verify OK
> cross-ca.crt: good
> 	This Update: Oct  1 08:01:19 2023 GMT
> 	Next Update: Oct 30 20:39:51 2023 GMT
> Response verify OK
> cross-gts-root-r4.crt: good
> 	This Update: Oct  1 08:36:38 2023 GMT
> 	Next Update: Oct 30 20:39:51 2023 GMT
> rm ca.crt cross-ca.crt cross-gts-root-r4.crt
> 
> 
> 
> Groeten
> Geert Stappers
> Back in a few days


-rw-r--r-- 1 stappers stappers 1383 18 mrt  2012 ca.crt
-rw-r--r-- 1 stappers stappers 1229 29 feb  2016 cross-ca.crt
-rw-r--r-- 1 stappers stappers 1180  1 nov 13:39 cross-gts-root-r4.crt
Response verify OK
cross-ca.crt: good
	This Update: Nov  1 11:59:31 2023 GMT
	Next Update: Nov  1 19:37:17 2023 GMT
Response verify OK
cross-gts-root-r4.crt: good
	This Update: Nov  1 12:39:02 2023 GMT
	Next Update: Nov  1 19:37:17 2023 GMT



Groeten
Geert Stappers
-- 
Silence is hard to parse

More information about the ipxe-devel mailing list