OCSP not used for 6-day short-lived certs?

Regarding the following website (We Issued Our First Six Day Cert) it reads:

Our six-day certificates will not include OCSP or CRL URLs.

Further down to the first six-day cert (I am referring to the shown openssl x509 -text output), in the "X509v3 extensions" section, we see:

Authority Information Access:
                OCSP - URI:http://e6.o.lencr.org
                CA Issuers - URI:http://e6.i.lencr.org/

So, isn't there an OCSP URL included in the cert whereas the text reads different?? Thank you for clarifying!

2 Likes

It's a work in progress, see e.g. a reply in a different thread from a Let's Encrypt staff member here:

That first six-day certificate does not fully resemble how the six-day certificates for you and me in the future will look like :slight_smile:

6 Likes

That first six-day certificate does not fully resemble how the six-day certificates for you and me in the future will look like :slight_smile:

This is what I imagined. It was just confusion on reading the page and then the properties of the certificate "contradicting" the text. :slight_smile: Thanks for clarification!

3 Likes

Yeah I would also have liked that this nuance would have been included in the blog post, so it wouldn't be as confusing as it is now.

3 Likes