pki-bot
commented
4 years ago Comment from nmeric at 2017-02-27 14:01:06
Metadata Update from @nmeric:
- Issue set to the milestone: UNTRIAGED
Open pki-bot opened 4 years ago
pki-bot
commented
4 years ago Comment from nmeric at 2017-02-27 14:01:06
Metadata Update from @nmeric:
PittsburghZombie
commented
3 years ago I would also like to know if this could be done. The ability to add multiple CAs is a nice feature, but since they cannot be individually signed, it limits the usefulness.
This issue was migrated from Pagure Issue #670. Originally filed by nmeric on 2013-06-30 05:36:24:
Hello.
Sorry for my english.
It seems that dogtag ocsp manager does not support the "authorized Responder" for multiple CAs.
One already mentionned this ealier in 2011 (https://www.redhat.com/archives/pki-users/2011-August/msg00000.html), with no improval so far.
As specified by the RFC, ocsp response MUST belong to one of the following :
(http://tools.ietf.org/html/rfc2560#section-2.2)
Dogtag ocsp manager works well for the so called "Truted Responder" as well as for the "Authorized Responder".
But, for the "Authorized Responder", it works with only ONE CA as it is impossible to specify multiple ocsp signing certificates. The RFC specifies that with Authorized Responders, the ocsp signing certificate MUST be issued directly by the CA that issued the certificate in question (http://tools.ietf.org/html/rfc2560#section-4.2.2.2).
So, if a client tries to verify a certificate's status and does not use a "Trusted Responder" --- but follows the AIA extension field for example, as it is the most common use case --- and if the CA that issued the certificate in question is not the same CA that issued the OCSP signing certificate, the validation will fail.
I tried this with the openssl command, and it effectively seems to fail.
Can you improve this so one can specify an ocsp signing certificate for each CA that works with the ocsp manager ?
Microsoft, OpenCA, and EJBCA OCSP implementations can all already do this.