Is there somewhere I could find an example of a certificate that doesn't have an OCSP responder URL embedded in it? I understand that Let's Encrypt will start issuing such certs in the near future (in just over 2 weeks, if this timeline is still accurate) and I would like to update my certificate management scripts, which currently work rather hard to make sure they never put into service a certificate without a valid stapled OCSP response. I want to teach these scripts to recognise certs without OCSP responders and skip all the OCSP stapling stuff (which I'm kinda pleased with, but sadly is becoming obsolete already) but am not sure where to look for an example cert to test against. Although Let's Encrypt's 6 day certs are promised to come without OCSP responder URLs, the "first issued" 6-day cert listed here still has one so that doesn't help. I'd prefer not to try to generate such a cert myself as I'd like to avoid testing against something I made, and might well have got wrong. Is it planned for the staging environment to start issuing OCSP-less certs some time earlier than the live environment? Thank you.
I don't think we have such certificate yet: crt.sh | 000925c0d91088a84e23517b255f0b6936bf463b16abe80c8989b895b029e0e9
this is two days ago but still have ocsp info
PR to support not include OCSP looks merged 2 weeks ago though
Remove AIA OCSP URL from end-entity certificates · Issue #8059 · letsencrypt/boulder · GitHub
I think you could also use Pebble as a test CA and that [by default] won't have an OCSP responder set. GitHub - letsencrypt/pebble: A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server not suited for a production certificate authority.
We just landed the code support for OCSP-less certificates in Boulder a few days ago, and it should be in staging this week.
We'll be posting an update (here, in the API Updates category) and to our Technical Updates mailing list (subscribe at Sign up for emails - Let's Encrypt) once that's out.
In staging now 