DigiCert to upgrade its OCSP infrastructure to accommodate all DigiCert brand certificates

Please be advised that the plan to upgrade the OCSP infrastructure has been put on hold for now. We will update this page once we have additional information or an updated timeline.
 

In late May 2018, DigiCert will upgrade its OCSP infrastructure to accommodate certificates issued under the Symantec, Thawte, GeoTrust and RapidSSL brands. Because of this upgrade, some OCSP clients may experience errors instead of a proper OCSP response.

Who is affected?

For the DigiCert OCSP infrastructure to send a client an OCSP response, the client must include an HTTP host header (see https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23) in their OCSP request. Most modern clients (e.g., web browsers) include the HTTP host header in their request and will not experience any issues due to the upgrade.

Additionally, many software packages include features for requesting OCSP responses. However, if the software is not coded to include an HTTP host header in their OCSP request when seeking to discover the status of a Symantec, Thawte, GeoTrust, or RapidSSL brand certificate, they will receive an error instead of an OCPS response.

What error will I see?

Clients who do not include an HTTP host header in their OCSP request will receive an “unauthorized” error message, as define in https://www.rfc-editor.org/rfc/rfc6960.txt.

What types of certificates will be affected?

DigiCert believes that our Symantec-branded client authentication and S/MIME certificates are the most likely to receive an error when requesting an OCSP response.

Because OCSP requests for SSL/TLS certificates are generally made by web browsers (and web browsers include the host header in their OCSP request), DigiCert believes that our Symantec, Thawte, GeoTrust and RapidSSL branded SSL/TLS certificates will not be affected.

What can I do to address this issue?

Reconfigure or upgrade the client software

  1. Determine what client software is used to make the OCSP request.

  2. Investigate whether it is possible for the client software to include the HTTP host header.

    1. In some cases, a simple configuration change might be adequate.

    2. In other cases, you may need to upgrade to a later version of the client software.

Use an outbound proxy server

Another option might be to arrange for OCSP requests to be sent through an outbound proxy server that can include the HTTP host header in the request.

OpenSSL

In OpenSSL 1.1.0 and above, the HOST header is always set. OCSP checks will be successful.

If not using OpenSSL 1.1.0 or later, consider upgrading to a newer version.

Troubleshooting

Items to note when troubleshooting your OpenSSL OCSP request "unauthorized" error message:

  • All requests using HTTP/1.0 without HOST header will not be successful.

  • OpenSSL 0.9.8zh does not have HOST header set and OCSP checks will fail.

Workaround:

The "-header" argument should be added to the request. See example below.

openssl ocsp -issuer issuer.pem -cert ee.pem -CA root.pem -url http://localhost:8081 -CAfile ca_bundle.pem -text -header HOST=test.com