Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3969

Default OCSP responder is not used for external CAs without OCSP key binding

    Details

    • Issue discovered during:
      Customer

      Description

      If an external CA in EJBCA is available without an OCSP key binding, EJBCA will attempt to (somehow) use this certificate to sign an OCSP response, instead of using default OCSP responder.

      Reproduction requirements:
      1. One root CA (basically, you need just a PEM file for it). This CA will be referred to as TestRootCA.

      Reproduction steps:
      1. Perform minimal, standard installation of EJBCA with enabled OCSP responder servlet.
      2. Send an OCSP request to EJBCA for a certificate issued by TestRootCA.
      3. Import TestRootCA certificate into EJBCA as external CA.
      4. Restart JBoss (to clear the caches).
      5. Send an OCSP request to EJBCA for a certificate issued by TestRootCA.

      Expected results:
      1. Default responder is used to sign response in step 2.
      2. Default responder is used to sign response in step 5.

      Actual results:
      1. Default responder is used to sign response in step 2.
      2. An exception is thrown by EJBCA. See attached file for details

          • Work-around ***
            This only applies when the default responder is a CA.
            If you create an active OcspKeyBinding from the same CA and clear the cache, the responses will be signed by the OcspKeyBinding and the signature will verify.
            An OCSP client trusting the CA should also trust the delegated OCSP signer issued by the same CA.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mikek Mike Agrenius Kushner
              Reporter:
              branko Branko Majic (Inactive)
              Verified by:
              Johan Eklund
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: