Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3351

OCSP: don't include root certificate in response certificate chain

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.1.0
    • Component/s: None
    • Labels:
      None

      Description

      Currently when using the option "Include certificate chain in response" all certificates in a certificate chain is included, including the root certificate.

      Having OCSP responses as small as possible is an important performance feature, and since the client must have the root certificate as trusted there is no need to include the root certificate in the chain.

      This relates a little to ECA-3350.

      If "Include certificate chain in response" is true and "Include signer certificate in response" is true:

      • For Root CA responder: root ca certificate is included (this is the signer certificate, not the chain)
      • For Sub CA responder: only sub ca certificate is included (this is the signer certificate)
      • For SubSub CA responder: the two sub ca certificates are included (this is the signer certificate and the chain), but not the root
      • For delegated responder: the OCSP signer certificate and subCA certificate is included (signer cert and chain), but not the root CA certificate.

      If "Include certificate chain in response" is false and "Include signer certificate in response" is true:

      • For Root CA responder: root ca certificate is included (this is the signer certificate, not the chain)
      • For Sub CA responder: only sub ca certificate is included (this is the signer certificate)
      • For SubSub CA responder: the first sub ca certificate is included (this is the signer certificate
      • For delegated responder: only the OCSP signer certificate

      If "Include certificate chain in response" is false and "Include signer certificate in response" is false:

      • No certificate are included in any responses

      If "Include certificate chain in response" is true and "Include signer certificate in response" is false:

      • This is an invalid option that should never be used

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                aveen Aveen Ismail (Inactive)
                Reporter:
                tomas Tomas Gustavsson
                Verified by:
                Tomas Gustavsson
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: