Hi, > I forget to set the OCSP extension and I have deployed 300 certificate, the > CRL don’t work with the browser and I want to setup this functionality. > > Regenerate 300 certificate is a really hard thing to do > > So , I want to setup the OCSP value directly on the public part of the CA. > Like comodo CA certificate. > > It is possible to regenerate the public part of the CA certificate to add the > OCSP extension without invalidating all > previously generated certificates?
this was also discussed in https://github.com/openxpki/openxpki/issues/665 - discussion continues here. I am afraid I may not yet fully understand the problem. Let me paraphrase what I understood, so we get a common understanding. You have issued a larger number of end entity certificates but forgot the OCSP AIA extension in the EE profile which specifies where to find the OCSP responder responsible for validating these end entity certificates? If so, you have to re-issue all these end entity certificates. My recommendation is to revoke all certificates, raise new requests and re-issue. Anything else is calling for trouble. I still don’t get the part with the CA certificate, though. Why do you want to modify/re-issue the CA certificate if you have a problem with the EE certs? For clarification: the OCSP AIA within any given certificate points a relying party to the OCSP service responsible for verifying this particular certificate. Cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
