Say that a certificate chain is structured as such:
server certificate -> intermediate certificate -> self signed root certificate
When the server is presented with certificates in this fashion:
tlsCertificateKeyFile: server certificate -> intermediate certificate tlsCAFile: self signed root certificate
The server is unable to staple an OCSP response because it is unable to build out the chain. The intermediate certificate is loaded into a different structure - not the X509 store for the SSL_CTX object. We need to fetch the intermediate certificate from an internal OpenSSL object and build out the chain when we start the OCSP stapling process.
- is duplicated by
-
SERVER-55074 Add warning message to OCSP Fetcher when it is unable to staple a response
- Closed