-
Type:
Bug
-
Status: Closed
-
Priority:
Blocker
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: EJBCA 6.15.0
-
Component/s: None
-
Labels:None
-
Issue discovered during:Customer
-
Sprint:EJBCA Sprint 18
In a publisher, meant for VA publishing you can set the option "Don't store certificate meta data except for CA and OCSP signing certificates". This will cause some fields from CertificateData on the CA to not be stored in the VA. One of the fields that looks like it's left out if expireDate (if I read the code correctly).
If expireDate is set to -1, the certificate will always be seens as expired when the VA answers OCSP queries. This will cause the archiveCutOff OCSP extension to be returned.
In practice this will be invalid. expireDate should not be considered sensitive Meta Data and should be published so the responder can work correctly.