Thanks again Rich. If anyone else has any ideas please share.
From: "Salz, Rich"
Date: Tuesday, December 4, 2018 at 12:56 PM
To: "anipa...@cisco.com" , "openssl-users@openssl.org"
Subject: Re: [openssl-users] OCSP response signed by self-signed trusted
respond
Perhaps you can build a trust store to handle your needs. I am not sure.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
dation of OCSP responses, is this not what this trust setting is for?
Thanks,
Animesh
From: "Salz, Rich"
Date: Tuesday, December 4, 2018 at 12:39 PM
To: "anipa...@cisco.com" , "openssl-users@openssl.org"
Subject: Re: [openssl-users] OCSP response signed by self-
The responder isn’t supposed to be self-signed. It’s supposed to be signed by
the CA issuing the certs. That way you know that the CA “trusts” the responder.
Now, having said that, what you want to do is reasonable – think of it as “out
of band” trust. You will probably have to modify the
Have a question with implementing an OCSP requestor that can handle validating
an OCSP response that is not signed by the CA who issued the certificate that
we are requesting the OCSP status for but rather, the OCSP response is signed
by a self-signed trusted responder that includes the OCSP