Markus P. Beckhaus
2018-09-05 14:44:33 UTC
Dear all,
I have set up strongswan to user OCSP as well as CRLs. Both parts are running fine and are reporting certificates as valid.
However, I do have one issue with OCSP checking and that is the abovementioned message âno signer certificateâ.
I can add our OCSP signer certificate to /etc/ipsec.d/ocspcerts, but in our case the OCSP signer cert is being renewed in very short intervals, because the signer cert contains the id-pkix-ocsp-nocheck extension.
Any idea how to solve this?
Best Regards
I have set up strongswan to user OCSP as well as CRLs. Both parts are running fine and are reporting certificates as valid.
However, I do have one issue with OCSP checking and that is the abovementioned message âno signer certificateâ.
I can add our OCSP signer certificate to /etc/ipsec.d/ocspcerts, but in our case the OCSP signer cert is being renewed in very short intervals, because the signer cert contains the id-pkix-ocsp-nocheck extension.
Any idea how to solve this?
Best Regards
--
Markus P. Beckhaus
beckhaus consulting
HunsrÃŒckstr. 11
55129 Mainz
+49 6131 9073851
+49 171 7945977
Markus P. Beckhaus
beckhaus consulting
HunsrÃŒckstr. 11
55129 Mainz
+49 6131 9073851
+49 171 7945977