trimstray
commented
6 years ago Thx for this. Your suggestions are very helpful! Let me know more about the topic and I will try to answer it more broadly.
Open Synchro opened 6 years ago
trimstray
commented
6 years ago Thx for this. Your suggestions are very helpful! Let me know more about the topic and I will try to answer it more broadly.
trimstray
commented
6 years ago @Synchro :
Creating correct certificate chains for OCSP is quite confusing - it would be very useful if sslmerge could generate them. As far as I can see it should include the intermediate and root certs, but not the leaf cert, so if a normal chain cert is leaf -> intermediate, the matching OCSP chain should be intermediate -> root. Since we already have --with-root, this could perhaps be combined with a new --without-leaf option to achieve this.
Synchro
commented
6 years ago After a bit more investigation, it seems that this isn't possible in nginx or apache, so it's probably not worth pursuing. There have been issues raised in nginx about this, and a halfway patch that didn't seem to go anywhere. Their opinion is really that Expect-staple is a sort of abuse of OCSP stapling that is better managed by using short-lived certs, so they're not planning on solving the issue in nginx.
The simpler single OCSP chain generation in #8 would still be useful though.
Further to #8, I'm very confused as to how to create valid OCSP certificate chains for dual stack (ECC + RSA) certificates. This comes up in things like nginx, where we can say:
so we have multiple certificates, but only a single opportunity to specify a trusted cert chain to use for OCSP. I don't know exactly how this should be formatted since it needs to contain 2 or more intermediate -> root chains, i.e. I don't know whether it should contain:
or
or, if they need to share a root (some ECC certs are signed using an RSA root):
So it would be very useful if sslmerge could help get this right.
(and yes, it is dumb that openssl can't figure out the cert order itself by matching IDs)