It's not "my" certificate exactly -- it's IBM's. I will paste it below.
I don't have an OCSP server; I would guess that System SSL is querying DigiCert's from the AIA: http://ocsp.digicert.com. I am not sure which DigiCert certificate signs the OCSP response but the DigiCert intermediate referenced in the end-entity certificate as the OCSP issuer (DigiCert TLS RSA SHA256 2020 CA1) has keyUsage <CRITICAL> Digital signature Certificate signature CRL signature extKeyUsage Server authentication Client authentication basicConstraints <CRITICAL> Certificate Authority: TRUE Path length constraint 0 Here is the end-entity certificate: Serial Number: 04F4061646AA7287A997DE4E74D1FD9D Version: 3 Subject: CN=public.dhe.ibm.com, O=International Business Machines Corporation, L=Armonk, ST=New York, C=US Issuer: CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US Algorithms: Signature: sha256WithRsaEncryption Signature Enum: 0401 Public key: rsaEncryption Key length: 2048 Key strength: High Validity: Not before: 2023-02-07T00:00:00 Not after: 2024-03-06T23:59:59 Certificate expires in 161 days Extensions: authorityKeyIdentifier Key Identifier: B76BA2EAA8AA848C79EAB4DA0F98B2C59576B9F4 subjectKeyIdentifier Key Identifier: B5127AD8A4B144012021763B4DE6A05EB25C9A63 subjectAltName public.dhe.ibm.com (DNS Name) keyUsage <CRITICAL> Digital signature Non-repudiation Key encipherment Data encipherment extKeyUsage Server authentication Client authentication crlDistributionPoints certificatePolicies Policy: Certificates issued in accordance with the CA/Browser Forum's Baseline Requirements - Organization identity asserted Qualifier identifier: Public-Key Infrastructure using X.509 (PKIX) Certificate Practice Statement (CPS) pointer qualifier 161B687474703A2F2F7777772E64696769636572742E636F6D2F435053 authorityInfoAccess Access method: Online Certificate Status Protocol (OCSP) http://ocsp.digicert.com (URI) Access method: Certificate authority issuers http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt (URI) basicConstraints Certificate Authority: FALSE unknown format Rec.ITU-T X.509v3 certificate extension SHA-256 Fingerprint: 83:B7:A8:BF:69:18:BF:6A:3A:74:A7:1D:08:01:D3:7F: 28:53:7B:34:18:A4:32:1B:62:9F:B5:A2:84:8C:E6:39 Charles On Fri, 29 Sep 2023 11:04:17 +0100, Colin Paice <[email protected]> wrote: >Charles, >What AIA info does your certificate have, for example authorityInfoAccess >= OCSP;URI:http://10.1.0.2:2000 > >Is your OCSP server running with the URL in the AIA info? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
