This is a compliance issue for eIDAS TSPs. ETSI EN 319 411-2 and -1
319 411-2: CSS-6.3.10-09
If OCSP is provided and the CA's certificate is about to expire, the TSP may compute a last OCSP answer for each and every issued certificate (whether revoked or not), with the "nextUpdate" field set to "99991231235959Z".
Today we can set OCSP Response validity in OCSP key binding really high, but it will not be set to a specific date 99991231235959Z.
The easy fix is to put a check in OCSP response generation, if the nextUpdate is calculated to be >99991231235959Z, set it to 99991231235959Z. Then setting nextUpdate to 9999y (for example) will create this OCSP response.
- modify OCSP response generation in OcspResponseGeneratorSessionBean
- make JUnit test to verify both normal and final OCSP respose validity
- update documentation for OCSP