Summary:

Certificates calling to OCSP Responder (OCSPr) have their "Cert Status" change from "good" to "unknown" with no known to changes to environment. Completely lost on this one.

More Detail:

I have been building a simple suite for Certificate creation and OCSP handling for local and personal certificate testing and the such. Everything has been going well, and there hasn’t been any issues with the generated certs checking against the OCSPr until the past few weeks.

I have generated a variety of Server and Client Certs and spread them around to various sites for testing and they function properly except for the following:

I have generated two Server Certs and two Client Certs and placed them on their respective sites, and initially these Certs call in to the OCSPr with a Cert Status of "unknown" for a few minutes, then switch to "good" for an undetermined amount of time, and then back to "unknown" until the OCSPr and the web site are both reset, and then the cycle repeats itself.

The other Client and Server certificates that have been created and placed on other sites are still functioning properly and communicate immediately and with ease with the OCSPr.

Some Info that May be Useful:

OpenSSL Version: OpenSSL 1.1.1c 28 May 2019

The environment is setup such as: CA -> InterCA -> Device/Server/OCSP Certificates

The OCSP Responder looks like:

sudo openssl ocsp  -url http://ocsp.address.com -port 80 -index Inter_index.txt  -CA certs/InterCA.cert.pem  -rkey private/ocsp.key.pem  -rsigner certs/ocsp.cert.pem  -out ocsp_log.txt  -text -rm sha384 -ignore_err 

I’ve also substituted -CA certs/InterCA.cert.pem with -CA certs/ca_chain.cert.pem with similar results (I heard that OpenSSl doesn’t care for CA chains, but no harm in trying)

I’m sure there is more I could add to this that would be helpful, but nothing comes to mind at the moment. 🙂