Creating correct certificate chains for OCSP is quite confusing - it would be very useful if sslmerge could generate them. As far as I can see it should include the intermediate and root certs, but not the leaf cert, so if a normal chain cert is leaf -> intermediate, the matching OCSP chain should be intermediate -> root.
Since we already have --with-root, this could perhaps be combined with a new --without-leaf option to achieve this.
trimstray
commented
6 years ago
Creating correct certificate chains for OCSP is quite confusing - it would be very useful if sslmerge could generate them. As far as I can see it should include the intermediate and root certs, but not the leaf cert, so if a normal chain cert is leaf -> intermediate, the matching OCSP chain should be intermediate -> root.
Since we already have
--with-root, this could perhaps be combined with a new--without-leafoption to achieve this.