New OCSP Root certificate?

bvanraemdo1985 · May 8, 2020, 8:49am

Hi ,

the ocsp ca is about to expire, but i can’t find the renewed one, can you point us the right direction please ?

_az · May 8, 2020, 9:11am

Let’s Encrypt signs OCSP responses directly from the certificate issuer. There is no separate certificate for OCSP.

The current issuer expires March 2021.

Where are you seeing otherwise?

_az · May 8, 2020, 9:47am

Ah maybe you mean the OCSP response for the cross-signed Let’s Encrypt issuer, rather than for Let’s Encrypt end-entity certificates?

That one is expiring “soon”, but it looks like Identrust rotates the certificate every month, so I don’t think it’s anything to worry about:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:01:6a:50:e4:91:64:df:6d:86:a9:65:73:ee:11:39
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
        Validity
            Not Before: Apr 29 19:00:00 2020 GMT
            Not After : May 29 19:00:00 2020 GMT
        Subject: C = US, O = Digital Signature Trust, OU = DST, CN = DST CA X3 OCSP Signer, emailAddress = pki-ops@IdenTrust.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b2:43:23:ad:90:aa:1b:e1:85:7d:fc:3e:8a:d0:
                    f8:ed:ed:72:c3:86:1d:de:50:af:82:25:62:95:62:
                    cf:b9:f7:99:6d:68:be:d0:a9:4f:af:14:a1:83:63:
                    9b:3f:d3:e6:31:5f:f2:f2:19:4f:ff:da:d8:d1:39:
                    ea:4b:c0:36:49:f1:23:4f:bd:d2:36:5c:00:e2:60:
                    cb:c3:60:7e:f3:35:cf:9b:26:d9:21:79:90:da:c2:
                    a1:3b:de:e7:59:fe:46:63:6f:62:bc:7d:98:8d:ca:
                    9f:6e:7a:b4:b9:56:bd:ce:ea:88:c6:db:00:46:e4:
                    96:e4:7b:e3:32:85:34:a0:a1:cd:94:41:49:74:84:
                    e6:fb:16:ed:12:15:8d:73:8e:01:6c:67:51:13:a4:
                    76:e9:ef:92:50:37:af:dc:ed:0a:29:64:6b:99:1d:
                    60:91:c2:c8:89:8d:2f:7b:df:09:5e:4e:ec:13:0c:
                    25:2d:98:ca:2f:2d:10:7a:b9:7c:77:16:39:c5:b2:
                    54:46:77:af:28:b6:2e:be:67:e1:ab:fc:16:4b:3d:
                    36:fb:a1:78:72:c5:42:39:cf:0c:64:7b:98:88:4c:
                    66:d8:b5:92:c9:f3:9c:54:8e:b3:b8:06:74:b4:f5:
                    ed:e2:80:a3:ae:b7:b8:31:6e:65:ac:37:b6:74:c8:
                    10:d1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature
            OCSP No Check: 

            X509v3 Extended Key Usage: 
                OCSP Signing
    Signature Algorithm: sha256WithRSAEncryption
        98:ca:2f:62:db:0d:44:64:3b:9f:e7:8e:03:26:bd:29:e7:d1:
        47:07:c1:56:7c:d2:ee:76:54:cf:fe:20:41:7b:e8:c8:e3:78:
        6e:7b:e6:64:2e:fb:1c:71:12:b0:53:3b:11:5b:ed:d8:d6:dc:
        7c:ed:8c:bd:af:de:3a:35:11:93:93:f8:01:3a:d5:42:20:2c:
        fd:55:67:18:4b:01:c0:d0:8c:69:ce:62:71:26:75:24:f2:57:
        af:0f:82:a4:3e:4d:a3:51:4d:d3:4f:fc:69:68:7e:c4:89:15:
        a2:2e:d0:3d:31:2f:6b:e0:6b:8b:cd:cd:4b:1e:54:8a:e2:de:
        50:76:48:5d:67:b5:d1:59:9b:1b:b2:60:09:af:5a:c3:f8:73:
        79:f4:67:15:6b:f2:84:f1:0e:56:d1:ac:fe:06:ab:62:f9:3a:
        52:22:c0:74:c8:e3:f8:dd:47:84:3a:46:2e:e7:d0:78:16:d9:
        a5:cc:3e:c8:d3:a4:2d:b4:8a:33:bd:a7:2d:01:94:56:9e:94:
        a3:40:74:a6:cd:1e:ee:a4:34:e4:05:2b:f2:b7:a7:4c:d4:60:
        a1:7a:b1:21:72:31:f1:c7:3a:be:03:f3:b4:9c:44:c9:a1:b5:
        af:07:70:30:1f:83:98:9d:e6:1f:b5:c5:48:e5:12:e8:d1:8a:
        f1:c4:0a:7a

bvanraemdo1985 · May 11, 2020, 4:49am

Seems right , thank you.

system · June 10, 2020, 4:57am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.