views:

37

answers:

0

I'm using apache to validate the certificate revocation on multiple client certificates.

Many of the certificates are under different CA hierarchies. Normally this is situation is handled by the oscp aia location. However, One of the contraints is that some of the certs do not have ocsp aia locations in their extensions. Therefore in apache's nss.conf, the "NSSOCSPDefaultResponder" is set to "on" with an NSSOCSPDefaultURL URL to handle the missing certificate extensions.

Setting this parameter pretty much overrides any existing aia locations in other certificates. Boo.

Are there any tricks to conditionally choose between looking at the cert and defaulting back to the nss.conf value? I have a feeling this isn't happening...

Also I'm in sort of the same boat with Tomcat if anyone has any ideas.

Thanks,

PR