[ipxe-devel] ipxe.org OSCP server check

Geert Stappers stappers at stappers.nl
Mon Oct 30 20:47:17 UTC 2023 

On Mon, Sep 04, 2023 at 11:21:00AM +0000, Michael Brown via ipxe-devel wrote:
> On 03/09/2023 11:11, Geert Stappers via ipxe-devel wrote:
> > When I do
> >    ....
> > How to deal with those verify errors?
> 
> When using the openssl tools, you need to specify the iPXE root CA as the
> root of trust in order to match iPXE's verification results.  For the ocsp
> subcommand, the relevant option is "-CAfile".  For example:
> 
>   $ wget -q https://ca.ipxe.org/ca.crt
>   $ wget -q https://ca.ipxe.org/cross-ca.crt
>   $ wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt
> 
>   $ openssl ocsp -CAfile ca.crt -issuer ca.crt \
>                  -cert cross-ca.crt \
>                  -url http://ocsp.ipxe.org/ocsp/root/
>   Response verify OK
>   cross-ca.crt: good
>           This Update: Sep  1 11:01:57 2023 GMT
>           Next Update: Sep  4 11:22:25 2023 GMT
> 
>   $ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \
>                  -cert cross-gts-root-r4.crt \
>                  -url http://ocsp.ipxe.org/ocsp/cross/
>   Response verify OK
>   cross-digicert-assured-id-root-ca.crt: good
>           This Update: Sep  1 11:02:47 2023 GMT
>           Next Update: Sep  4 11:22:43 2023 GMT
> 

Ah, thanks, for future "copy and paste":

--------8<---8<---8<-------

wget -q https://ca.ipxe.org/ca.crt
wget -q https://ca.ipxe.org/cross-ca.crt
wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt

ls -ltr  *.crt

openssl ocsp -CAfile ca.crt -issuer ca.crt \
             -cert cross-ca.crt \
             -url http://ocsp.ipxe.org/ocsp/root/

openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \
             -cert cross-gts-root-r4.crt \
             -url http://ocsp.ipxe.org/ocsp/cross/

echo rm *.crt
 
--------8<---8<---8<-------

Output I got today:


-rw-r--r-- 1 stappers stappers 1383 18 mrt  2012 ca.crt
-rw-r--r-- 1 stappers stappers 1229 29 feb  2016 cross-ca.crt
-rw------- 1 stappers stappers 1180  1 okt 10:36 cross-gts-root-r4.crt
Response verify OK
cross-ca.crt: good
	This Update: Oct  1 08:01:19 2023 GMT
	Next Update: Oct 30 20:39:51 2023 GMT
Response verify OK
cross-gts-root-r4.crt: good
	This Update: Oct  1 08:36:38 2023 GMT
	Next Update: Oct 30 20:39:51 2023 GMT
rm ca.crt cross-ca.crt cross-gts-root-r4.crt



Groeten
Geert Stappers
Back in a few days
-- 
Silence is hard to parse

More information about the ipxe-devel mailing list