due to the flag OCSP_NOCHECKS. This can lead to confusion. For example: $ openssl ocsp -no_cert_checks -get "http://www.example.com/OCSPResponse" 1: ----- BEGIN OCSPSig
2: ocsp_base64 encoded signature
3: ..................................................................
4: ----- BEGIN CERTIFICATE
5: MIIEwjCCA4CAQAwgYkxCzAJBgNVBAYTAkZDSSB8ZW1wdHkoMRAwDgYDVQQDEwtDXN0ZXJuMRowGAYDV
6: CnMCUGA1UEAxMZZGVmdHRlcnN0YXJ0dXHzIERpdmlsZXMgU2VjdXJpdHkgb2YgdGhlcmRvbi8xMS41IExH
7: MIFEVTUyBJbnRlcm5ldCBFRyBBbGFuZzBcbm9ftmVzdGFydHMnIEFhc3dlcnMpIElzIG1vcmUgbW9yZSBudWxs dXJhbCBpbiAyMDEuMAAAAAAAAAAAA==
OCSP_NOCHECKS does not mean the server is not certified. It means that the OCSP has no certificate to check against.
2: ocsp_clr.txt
----- BEGIN CERTIFICATE
----- MIIBkzCCAV2gAwIBAAEGCQDvF1/7r8Z5xRV7wAJ9LH0o+pX9fjy3NhkQeM7WnD5ExuE
----- END CERTIFICATE
----- ----- BEGIN CERTIFICATE
----- MIIDdTCCAa2gAwIBAgIQwvYUYlWzG9QiGdKUHEeajP/Ojwmf+2EIk/tBHbvmMf6TIVElNg
----- END CERTIFICATE
------ ----- BEGIN CERTIFICATE
------ MIIDdTCCAa2="AwIBAgIQwvYUYlWzG9QiGdKUHEeajP/Ojwmf+2EIk/tBHbvmMf6TIVElNg"
------ END CERTIFICATE
OCSP Response
This can be confusing. "OCSP response" is a term used to refer to the challenge that is sent back after a certificate has been revoked. So, in this example, "OCSP response" is actually the challenge that is being sent back from the server.
Remotely obtained OCSP response from upstream
OCSP responses are normally obtained from the issuing certificate authority. The OCSP response is checked locally to ensure that it has not been revoked and then sent to the requesting party. If a remote OCSP response was received, this means it was obtained using some form of man-in-the-middle attack, where an attacker either intercepted the communication between the browser or server and the issuing certificate authority or digitally signed a message without displaying any identifying information.
2: OCSPResponse ----- BEGIN OCSPSig
Timeline
Published on: 05/03/2022 16:15:00 UTC
Last modified on: 06/02/2022 20:15:00 UTC