000024658 - Expired certificate returns Good with OCSP client

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024658
Applies ToKeon Certificate Authority 6.5.1
OCSP Client
OCSP - Online Certificate Status Protocol
IssueExpired certificate returns Good with OCSP client
ResolutionThe OCSP client is working properly. If you look at the actual RFC http://www.ietf.org/rfc/rfc2560.txt you will see that "good" does not necessarily mean the certificate exists or is currently valid. "Good" only means the certificate is not on the CRL. This is considered ok because the relying application should check the signature (to ensure it is a real cert) and the validity period before asking OCSP for the status. Microsoft applications and others do that. Text from RFC 2560 pasted below:

This specification defines the following definitive response indicators for use in the certificate status value:
  -- good
  -- revoked
  -- unknown
The "good" state indicates a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate is not revoked, but does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate's validity interval.
Legacy Article IDa35271