[openssl-users] Where to find the OCSP response signer cert if the OCSP response does not contain one?

M K Saravanan mksarav at gmail.com
Wed Oct 28 03:56:45 UTC 2015


If the OCSP responder does not send the response signer certificate in the
OCSP response, then how can we find the signer certificate?

I was doing a simple test to verify google certificate via OCSP like this:

$ openssl ocsp -issuer ./www.google.com.sg-issuer.cer -CAfile ./ca.cer
-cert ./www.google.com.sg.cer -url http://clients1.google.com/ocsp -header
Host clients1.google.com -no_nonce
Response Verify Failure
2283136:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate
not found:ocsp_vfy.c:91:
./www.google.com.sg.cer: good
        This Update: Oct 27 14:35:13 2015 GMT
        Next Update: Nov  3 14:35:13 2015 GMT

Upon checking the wireshark capture, I found the OCSP response does not
send signer cert, but only the responderID (byKey).

In such scenario, where do I find the OCSP response signer cert?

with regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151028/2ad4016a/attachment.html>

More information about the openssl-users mailing list