[openssl-users] Where to find the OCSP response signer cert if the OCSP response does not contain one?

Jakob Bohm jb-openssl at wisemo.com
Wed Oct 28 15:47:55 UTC 2015

On 28/10/2015 10:24, M K Saravanan wrote:
> Hi,
>> Upon checking the wireshark capture, I found the OCSP response does not send
>> signer cert, but only the responderID (byKey).
>> In such scenario, where do I find the OCSP response signer cert?
> Clarifying my own question.
> https://tools.ietf.org/html/rfc6960#section- says:
> ---------------
> The purpose of the ResponderID information is to allow clients to
> find the certificate used to sign a signed OCSP response.  Therefore,
> the information MUST correspond to the certificate that was used to
> sign the response.
> The responder MAY include certificates in the certs field of
> BasicOCSPResponse that help the OCSP client verify the responder's
> signature.
> -----------------
> I understand that it is not mandatory to send the OCSP response signer
> certificate in the OCSP response.  So in such cases, where to find the OCSP
> response signer certificate?  That is my question.
Obvious first check is to see if it is the CA certificate
that issued thecertificate you are checking.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list