OCSP signing certificates


just trying to make OCSP works in nginx.

I have few questions and i would like to kindly ask someone more skilled to help me find answers:

According of Chain of trust document (https://letsencrypt.org/certificates/) OCSP responses are signed using ISRG Root OCSP X1 certificate. This intermediate certificate is signed by ISRG Root X1 which is root for LE. This intermediate certificate - also according to this document - is sent with every OCSP response. look:

OCSP Signing Certificate

This certificate is used to sign OCSP responses for the Let’s Encrypt Authority intermediates, so that we don’t need to bring the root key online in order to sign those responses. A copy of this certificate is included automatically in those OCSP responses, so Subscribers don’t need to do anything with it. It is included here for informational purposes only.

_ ISRG Root OCSP X1 (Signed by ISRG Root X1)_

May be I’m doing something wrong, but I’m getting plain OCSP responces without any [intermediate] certificate added and response is signed like my server certificate using Let’s Encrypt Authority X3 which is cross signed using IdenTrust cert.

So whats wrong?

Another question to someone who knows nginx internals… when I need to allow veryfying OCSP responces whis are than send back to clients … i need to setup ssl_trusted_certificate. In manual you can find:

"Enables or disables verification of OCSP responses by the server.

For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive. "

Ehm. But when I have my server cert with Let’s Encrypt Authority X3 cert in one file - call it chained… and using this file as server cert for nginx … ocsp stapling works. Why?!?

thanks in advance


Nothing, the site is somewhat misleading. Currently, Let's Encrypt isn't using its own root certificate at all, including the separate OCSP certificate. It's only using the cross signed intermediates at the moment and probably will be using those for a long time.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.