Because the /ca/ocsp endpoint is now servicing all lightweight CAs, we must inspect the request and look up the right OCSP issuer to use. Sort of like "virtual hosts" for OCSP :)
If an OCSP request contains requests for multiple certificates from different issuers, we should return "unknown" for all certificates that were NOT issued by the chosen CA.
The heuristic for choosing the CA shall be to use the issuer identified in the FIRST request in the requestList.
Pushed to master:
Metadata Update from @ftweedal: - Issue set to the milestone: 10.3.0.a2
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2350
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.