OCSP validation using GPG dirmngr

As part of a larger flow, I recently tried to implement batch OCSP validation of LE (and eventually other) certs using GPG’s dirmngr.

The basic steps were:

  • Add the directive “allow-ocsp” to ~/.gnupg/dirmngr.conf (also consider “debug-level” and “log-file”)
  • Add a DER encoded DST root to /etc/gnupg/trusted-certs
  • Add a DER encoded DST signed LE X3 intermediate to /etc/gnupg/extra-certs
  • Execute: dirmngr-client --ocsp --pem my.crt

This does successfully issue an OCSP request; however it turns out that the LE OCSP responder does not respect the nonce in the request; I guess the cached response is returned. dirmngr chokes on this with a “replay detected” error. I didn’t find a way to disable the nonce matching behaviour in dirmngr, so I guess it’s back to the drawing board.

Posting this in case it saves someone an hour.


Thanks for sharing, I hope this is helpful to someone else!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.