Yes is exactly the situation. With your explanation I'm wrong about the CA part. it's the reason why you don't understand what I say.
I will redeploy my certificate. Thank you very much for your help. Adrien FAVERAUX Ingénieur Système, Réseau et Sécurité BRAIN NETWORKS Mobile : 06 33 96 80 89 Mail : [email protected] -----Message d'origine----- De : Martin Bartosch <[email protected]> Envoyé : jeudi 27 septembre 2018 13:04 À : [email protected] Objet : Re: [OpenXPKI-users] Add/Modify OCSP On the CA Hi, > I forget to set the OCSP extension and I have deployed 300 certificate, the > CRL don’t work with the browser and I want to setup this functionality. > > Regenerate 300 certificate is a really hard thing to do > > So , I want to setup the OCSP value directly on the public part of the CA. > Like comodo CA certificate. > > It is possible to regenerate the public part of the CA certificate to > add the OCSP extension without invalidating all previously generated > certificates? this was also discussed in https://github.com/openxpki/openxpki/issues/665 - discussion continues here. I am afraid I may not yet fully understand the problem. Let me paraphrase what I understood, so we get a common understanding. You have issued a larger number of end entity certificates but forgot the OCSP AIA extension in the EE profile which specifies where to find the OCSP responder responsible for validating these end entity certificates? If so, you have to re-issue all these end entity certificates. My recommendation is to revoke all certificates, raise new requests and re-issue. Anything else is calling for trouble. I still don’t get the part with the CA certificate, though. Why do you want to modify/re-issue the CA certificate if you have a problem with the EE certs? For clarification: the OCSP AIA within any given certificate points a relying party to the OCSP service responsible for verifying this particular certificate. Cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
