OCSP Response from SubCA: Is it Valid?

TL;DR

Yes, an OCSP (Online Certificate Status Protocol) response can be issued by a subordinate CA (SubCA) of the Root CA that originally issued the certificate. This is perfectly normal and expected behaviour in most Public Key Infrastructure (PKI) setups.

Understanding the Roles

Before we dive into why, let’s quickly recap:

• Root CA: The top-level authority that everyone trusts. It directly signs SubCAs.
• SubCA (Intermediate CA): Signs end-entity certificates (like the ones used on websites). They are trusted because the Root CA vouches for them.
• OCSP Responder: Checks the revocation status of certificates. This can be run by the Root CA, a SubCA, or a third party.

Why a SubCA Issues OCSP Responses

Root CAs generally don’t issue OCSP responses directly for security reasons. They are kept offline as much as possible to protect their private keys. Instead:

1. Delegation: The Root CA delegates the responsibility of issuing OCSP responses to one or more SubCAs.
2. Scalability: It’s more practical for a SubCA to handle the high volume of OCSP requests than the Root CA.
3. Flexibility: Allows for regional or departmental control over certificate status.

How it Works

When a browser (or other application) checks a certificate’s validity, it typically does these things:

1. Checks the Certificate Chain: Verifies that the certificate is signed by a trusted CA (ultimately tracing back to a Root CA).
2. OCSP Stapling or OCSP Request: Attempts to get an OCSP response.

• OCSP Stapling: The web server provides a pre-cached OCSP response along with the certificate (preferred method).
• OCSP Request: The browser contacts the OCSP responder directly.

Response Verification: If an OCSP response is received, it’s checked to see if the certificate has been revoked.

If the OCSP response comes from a SubCA, the browser will:

1. Verify the SubCA Certificate: Ensure that the OCSP responder’s certificate is valid and signed by a trusted Root CA. This confirms the SubCA is authorized to issue responses for certificates it has signed.
2. Trust the Response: If the SubCA certificate checks out, the browser trusts the revocation information in the OCSP response.

Checking with OpenSSL

You can use OpenSSL to verify this yourself:

1. Get the Certificate: Obtain the certificate you want to check (e.g., from a website using openssl s_client -showcerts <website address>).
2. Find the OCSP URL: The certificate will contain an Authority Information Access (AIA) extension that points to the OCSP responder URL.
3. Request the OCSP Response: Use OpenSSL to request the response:

   openssl ocsp -i <certificate file> -url <OCSP URL>

4. Examine the Output: The output will show whether the certificate is revoked and, importantly, which CA signed the OCSP response. You’ll likely see a SubCA listed.

Important Considerations

• Trust Chain Integrity: It’s crucial that the entire trust chain (Root CA -> SubCA -> Certificate) is valid for the OCSP response to be trusted.
• OCSP Stapling Benefits: Using OCSP stapling improves performance and privacy, as it reduces reliance on external OCSP responders.