Skip to content

OCSP is not checked / embedded on intermediate certificates #247

New issue
New issue
Open
Open
OCSP is not checked / embedded on intermediate certificates#247
@mauzi

Description

@mauzi
mauzi
opened on Jul 2, 2025

Hi,
I'm using 2.3.0. LTV works with CRL, but does not work with OCSP.

With --crl option, all certificates in the chain are verified and revocation information embedded:

INFO Processing (it may take a while) ...
INFO Reading CRLs
INFO Reading CRL distribution points from certificate 2.5.4.5=#131d312e332e362e312e342e312e32313532382e322e332e322e3131313035,1.2.840.113549.1.9.1=#161468656c706465736b4064617461636173742e6875,CN=Datacast Kft.,2.5.4.97=#0c0e56415448552d3134383833393837,O=Datacast Kft.,L=Budapest,C=HU
INFO Found CRL URL in distribution point: http://ec2ca2017-crl1.e-szigno.hu/ec2ca2017.crl
INFO Found CRL URL in distribution point: http://ec2ca2017-crl2.e-szigno.hu/ec2ca2017.crl
INFO Found CRL URL in distribution point: http://ec2ca2017-crl3.e-szigno.hu/ec2ca2017.crl
INFO Reading CRL distribution points from certificate CN=e-Szigno Class2 CA 2017,2.5.4.97=#0c0e56415448552d3233353834343937,O=Microsec Ltd.,L=Budapest,C=HU
INFO Found CRL URL in distribution point: http://rootca2017-crl1.e-szigno.hu/rootca2017.crl
INFO Found CRL URL in distribution point: http://rootca2017-crl2.e-szigno.hu/rootca2017.crl
INFO Found CRL URL in distribution point: http://rootca2017-crl3.e-szigno.hu/rootca2017.crl
INFO Downloading CRL from http://rootca2017-crl3.e-szigno.hu/rootca2017.crl
INFO Size of downloaded CRL: 701
INFO Downloading CRL from http://rootca2017-crl2.e-szigno.hu/rootca2017.crl
INFO Size of downloaded CRL: 701
INFO Downloaded CRL is already present. Skipping.
INFO Downloading CRL from http://ec2ca2017-crl3.e-szigno.hu/ec2ca2017.crl
INFO Size of downloaded CRL: 213643
INFO Downloading CRL from http://rootca2017-crl1.e-szigno.hu/rootca2017.crl
INFO Size of downloaded CRL: 701
INFO Downloaded CRL is already present. Skipping.
INFO Downloading CRL from http://ec2ca2017-crl1.e-szigno.hu/ec2ca2017.crl
INFO Size of downloaded CRL: 213643
INFO Downloaded CRL is already present. Skipping.
INFO Downloading CRL from http://ec2ca2017-crl2.e-szigno.hu/ec2ca2017.crl
INFO Size of downloaded CRL: 213643
INFO Downloaded CRL is already present. Skipping.
INFO Creating TSA client.
INFO Setting TSA hash algorithm: SHA-256
INFO Closing result PDF stream
INFO Finished: Signature succesfully created.

With --ocsp option, only the signer certificate is verified and revocation information embedded:

INFO Processing (it may take a while) ...
INFO Reading OCSP URL from certificate chain.
INFO Getting OCSP data from URL: http://ec2ca2017-ocsp1.e-szigno.hu
INFO Creating TSA client.
INFO Setting TSA hash algorithm: SHA-256
INFO Closing result PDF stream
INFO Finished: Signature succesfully created.

The OCSP server URLs for the intermediate certificate are defined properly in the AIA extension:

Method = OCSP
URI = http://rootca2017-ocsp1.e-szigno.hu

Method = OCSP
URI = http://rootca2017-ocsp2.e-szigno.hu

Method = OCSP
URI = http://rootca2017-ocsp3.e-szigno.hu

Method = Certification Authority Issuer
URI = http://rootca2017-ca1.e-szigno.hu/rootca2017.crt

Method = Certification Authority Issuer
URI = http://rootca2017-ca2.e-szigno.hu/rootca2017.crt

Method = Certification Authority Issuer
URI = http://rootca2017-ca3.e-szigno.hu/rootca2017.crt

Thank you for your support!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions