106
edits
Changes
OCSP Error codes sec_error_ocsp_bad_http_response & sec_error_ocsp_invalid_signing_cert
** Please read section 4.2.2.2 "Authorized Responders" on pages 10-11 of RFC 2560. CAs that emit certificates for the general public must use a configuration that conforms to either rule 2 or 3. NSS also supports rule 1, but it requires manually configuring Firefox to set the [[CA:OCSP-TrustedResponder|trusted OCSP responder.]] This makes this choice relevant only when the Firefox installation is part of a centralized deployment where a local OCSP responder has been setup to send back OCSP responses for all the CAs that are locally trusted. The IETF pkix group that authored RFC 2560 has confirmed that rule 1 is intended to cover similar situations and not public deployments.
* Error code: sec_error_ocsp_bad_http_response
** That error message appears because the http response from the OCSP responder responds to had some result code other than 200.** The http 200 response from the OCSP request with an errorresponder could not be decoded.
* Error code: sec_error_ocsp_invalid_signing_cert
** OCSP response signer's certificate was issued by the CA that issued the certificate whose status is being checked, but the response signer's certificate does not bear an ExtendedKeyUsage extension with the OCSP Responder OID, or** OCSP response signer's certificate chain does not validate (e.g. expired, or bad signature, etc.)** Trusted OCSP Responder Signing cert has not been imported. Mozilla users should not have to find and install the OCSP responder's certificate. See [[CA:Problematic_Practices#OCSP_Responses_signed_by_a_certificate_under_a_different_root|Potentially Problematic Practices.]]
* Error code: sec_error_bad_database
** the OCSP response gives a cert subject name to identify its signer's certificate, but no certificate by that name can be found -- not in the response, not in the database, and not in the cert chain of the certificate whose status is being checked. See [https://bugzilla.mozilla.org/show_bug.cgi?id=560091 this bugzilla bug] for more details.
