[openssl-users] Where to find the OCSP response signer cert if the OCSP response does not contain one?
Jakob Bohm
jb-openssl at wisemo.com
Wed Oct 28 15:47:55 UTC 2015
On 28/10/2015 10:24, M K Saravanan wrote:
> Hi,
>
>> Upon checking the wireshark capture, I found the OCSP response does not send
>> signer cert, but only the responderID (byKey).
>>
>> In such scenario, where do I find the OCSP response signer cert?
> Clarifying my own question.
>
> https://tools.ietf.org/html/rfc6960#section-4.2.2.3 says:
>
> ---------------
> The purpose of the ResponderID information is to allow clients to
> find the certificate used to sign a signed OCSP response. Therefore,
> the information MUST correspond to the certificate that was used to
> sign the response.
>
> The responder MAY include certificates in the certs field of
> BasicOCSPResponse that help the OCSP client verify the responder's
> signature.
> -----------------
> I understand that it is not mandatory to send the OCSP response signer
> certificate in the OCSP response. So in such cases, where to find the OCSP
> response signer certificate? That is my question.
Obvious first check is to see if it is the CA certificate
that issued thecertificate you are checking.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list