[openssl-users] Where to find the OCSP response signer cert if the OCSP response does not contain one?
M K Saravanan
mksarav at gmail.com
Wed Oct 28 09:24:30 UTC 2015
Hi,
> Upon checking the wireshark capture, I found the OCSP response does not send
> signer cert, but only the responderID (byKey).
>
> In such scenario, where do I find the OCSP response signer cert?
Clarifying my own question.
https://tools.ietf.org/html/rfc6960#section-4.2.2.3 says:
---------------
The purpose of the ResponderID information is to allow clients to
find the certificate used to sign a signed OCSP response. Therefore,
the information MUST correspond to the certificate that was used to
sign the response.
The responder MAY include certificates in the certs field of
BasicOCSPResponse that help the OCSP client verify the responder's
signature.
-----------------
I understand that it is not mandatory to send the OCSP response signer
certificate in the OCSP response. So in such cases, where to find the OCSP
response signer certificate? That is my question.
with regards,
Saravanan
More information about the openssl-users
mailing list