1425998 - Certinomis / Docapost: Non-BR-Compliant OCSP Responders

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Wayne Thayer]

The OCSP responder for the Easy CA intermediate is returning a good response for an invalid serial number as reported here: https://crt.sh/ocsp-responders?randomserial=Good&trustedBy=Mozilla&trustedFor=Server%20Authentication&trustedExclude=constrained,expired,onecrl&randomserial=Good&sort=2&dir=v

As per section 4.9.10 of the BRs, OCSP responders MUST NOT respond with a “good” status for unissued certificates. The effective date for this requirement was 2013-08-01.

Please provide an incident report in this bug, as described here:
https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report

Comment 1

[Franck Leroy]

Hello

Due to an overload on the OCSP server on December 12th, the requests have been routed to a more powerful server.

Unfortunately there is a misconfiguration on this server (the property "Non existing is good" is checked).

So I revert back to the old server today, and we will update the new server by January (a database synchronization with the CA-DB is needed to remove this property).

The impact is that the OCSP server performance may be degraded in the meantime.

Best regards
Franck Leroy

Comment 2

[Wayne Thayer]

The crt.sh report indicates that this problem has been fixed.