As part of a larger flow, I recently tried to implement batch OCSP validation of LE (and eventually other) certs using GPG’s dirmngr.
The basic steps were:
- Add the directive “allow-ocsp” to ~/.gnupg/dirmngr.conf (also consider “debug-level” and “log-file”)
- Add a DER encoded DST root to /etc/gnupg/trusted-certs
- Add a DER encoded DST signed LE X3 intermediate to /etc/gnupg/extra-certs
- Execute: dirmngr-client --ocsp --pem my.crt
This does successfully issue an OCSP request; however it turns out that the LE OCSP responder does not respect the nonce in the request; I guess the cached response is returned. dirmngr chokes on this with a “replay detected” error. I didn’t find a way to disable the nonce matching behaviour in dirmngr, so I guess it’s back to the drawing board.
Posting this in case it saves someone an hour.