I’ve just tried to verify the OCSP response but was unable so far. The certificate itself verifies successfully on the local certificate chain, but the OCSP part is somehow broken. Local verification: Intermediate Certificate verification: #> openssl verify chain1.pem chain1.pem: OK Server Cert…

I believe it’s done on purpose, to reduce the size of the OCSP responses and to avoid having to build a whole new trust chain on the client. I’m not sure if they’re allowed to sign OCSP responses without the OCSP Signing key usage, though. :expressionless:

[image] kerio: I believe it's done on purpose, to reduce the size of the OCSP responses and to avoid having to build a whole new trust chain on the client. That is correct. And the OCSP Signing key usage is only required for dedicated OCSP signing certs. Signing OCSP directly from the issuer …

I believe you need to add -verify_other chain1.pem.

[image] jsha: I believe you need to add -verify_other chain1.pem. Nice one. It's working perfectly now. Thanks! :wink:

Unable to verify OCSP response

Server

jsha December 17, 2015, 7:22pm 3

That is correct. And the OCSP Signing key usage is only required for dedicated OCSP signing certs. Signing OCSP directly from the issuer doesn't require additional extensions.

Topic		Replies	Views
[Solved] Cannot verify ocsp Server	2	11682	November 8, 2015
OCSP response error signer certificate not found Server	0	3813	November 18, 2015
Is OCSP responder broken? Issuance Tech	3	7375	April 1, 2018
Where can I find OCSP responder certificate? Feature Requests	1	3837	November 7, 2015
OCSP signing certificates Help	2	2477	March 7, 2018

Unable to verify OCSP response

Related topics