I just read about "Intent to end OCSP" but I could not find out how to create a cert with CRL only and no OCSP extension.
We recommend that anyone relying on OCSP services today start the process of ending that reliance as soon as possible. If you use Let’s Encrypt certificates to secure non-browser communications such as a VPN, you should ensure that your software operates correctly if certificates contain no OCSP URL.
So I definitely need a certificate with CRL and no OCSP section, in order to test that such a cert will work in my environment. But it's not clear how to get one, is it a flag or profile I can choose in the ACME API? If I have missed it in the docs please point me in the right direction.
Hmm. It is kind of awkward that Let's Encrypt wants people to make sure that certificates without OCSP URLs in them work, when they don't offer a way to get them.
Are there other CAs that issue certificates without an OCSP URL, ideally ones that are free and use ACME? If not, does someone want to write up the openssl commands or whatever for making testing certificates that are as close as possible to "real" ones even though they obviously wouldn't be trusted?
Yeah, Let's Encrypt essentially says: "Make sure you don't rely on ANY revocation checking what so ever, because we want you NOT to rely on OCSP, but we don't offer anything else in return."
That said, CRL checking is dead anyway, so to add or not to add CRLs to begin with, that's the question
BuyPass has an OCSP AIA and CRL distribution point in their end leaf certificates. The issuing intermediate can be found at crt.sh | CA:49982.
There can't be any (yet), since Microsoft's root program currently requires use of OCSP.
Microsoft will probably change that policy in the near future, after which LE will probably follow suit.
