Geek asks and answers

Revoke OCSP for the entire certificate chain

When you ask the OCSP server to check the revocation status of a certificate, does it automatically check the revocation status of the entire chain?

ie: if he says the certificate is “good”, does that mean the whole chain is good?

I read the spec: http://www.ietf.org/rfc/rfc2560.txt

but it still seems unclear to me.

Wikipedia mentions OCSP chain queries:

http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

+5
source share
1 answer

The OCSP responder only checks the status of the specific certificate specified in the OCSP request. The defendant will ignore the rest of the chain.

OCSP, , , , SSL, . , SSL . , , ( ) OCSP, OCSP.

, OCSP HTTP- - - , , , , OCSP (Apache 2.4+ ..), OCSP , , ( , , , , , ).

, , OCSP. , , , , .

+7

More articles:


All Articles