I noticed when we turn SSLOCSPEnable on, mod_ssl tries to validate the entire 
certificate chain using OCSP (as the docs already clearly state). Consider the 
following scenario:

Root CA > Intermediate CA > Client 1
Client 1 OCSP response "good", Intermediate CA has no OCSP URI, validation 
fails and apache complains.

When using openssl cmd line I can request validation on *just* the client 
certificate without having a second implicit OCSP request made on the 
Intermediate CA.

It seems this is done on purpose, but I want to understand better why? Also is 
it controllable (meaning tell apache only make the OCSP request on the client 

Any input would be appreciated.


Reply via email to