Hi Dmitrij, what you are saying is true, however there is a small trick you can use. If you have the same keypair certified by all the CAs you want to support and add the certificates to the response that should work, but I have not tested it yet.
For sure the new version will have more explicit support for multiple CA certificates key/pairs. Ciao, Max Dmitrij Mironov wrote:
Hi all,I'm using OpenCA OCSPD for about 2 years. Everything was ok (except useless logs), but now I found, that I can't conform to RFC2560 with that responder.As stated in 4.2.2.2 of RFC2560 - OCSP responder's "... certificate MUST be issued directly by the CA that issued the certificate in question." That means OCSP responder must know how to handle several its own keys and certificates if it is configured to work in multi CA configuration.OpenCA OCSPD v1.5.1 is able to work in multi CA configuration, but a do not see any possibility to configure it in accordance with mentioned RFC2560 requirement. Is it missing feature, bug or I need to RTFM?Regards, Dmitrij
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
