why PDF Reader doesn’t show the embedded OCSP Response?
I haven't even used crlClient:
MakeSignature.signDetached(sap, new BouncyCastleDigest(), es, chain, null, ocspClient, tsClient, 0, MakeSignature.CryptoStandard.CMS);
// chain[0] - signer certificate
// chain[1] - OperCA certificate (signer's issuer)
// chain[2] - RootCA (OperCA's issuer)
PDF revocation tab details shows:
The selected certificate is considered valid because it does not appear in the Certificate Revocation List (CRL) that is contained in the local cache.
The CRL was signed by "B-Trust Operational CA QES <[hidden email]>" on 2014/02/19 07:53:35 +02'00' and is valid until 2014/03/21 07:53:35 +02'00'.
I want to achieve the Figure 3.8 A digital signature with an embedded OCSP response, from Bruno Lowagie's free White Paper document.
What do I do wrong or miss?
Here is the Certification path and sample pdf.
Best Regards, Valentino
The actual issue is that even when PDF has embedded only OCSP response, Acrobat Reader doesn't show it, but shows local CRL instead.
This is caused of non-conforming, to RFC6960 or RFC2560, OCSP certificate.
Wrong OCSP certificate path:
Root CA -> Operational CA -> Client certificates (certificates checked with OCSP)
Root CA -> OCSP
Right OCSP certification path:
Root CA -> Operational CA -> Client certificates (certificates checked with OCSP)
Operational CA -> OCSP