Remove specified OCSP responder from certificate

Question

OCSP is brain-damaged and a privacy violation. Is there a way I can remove the specified OCSP responder from a certificate file to prevent my site's visitors from having to suffer it?

From what I understand, OCSP stapling would be great if it had browser support, though unfortunately I cannot use it at all in my current server configuration. :(

OCSP can be great for enterprises running their own PKI infrastructure. But yes, it seems a bit silly for public certs from third party CAs. — Ryan Bolger, Jul 27 '12 at 04:48
first: most (if not all) browsers don't request OCSP if the site does not have an Extended Validation certificate. Second: if you want to protect user's privacy, use ocsp stapling. Third: request for ocsp is harder to eavesdrop than the http request so for stuff like www OCSP privacy problems are rather overblown — Hubert Kario, Feb 11 '14 at 22:37

score 5 · Accepted Answer · answered Jul 27 '12 at 04:43

5

I don't believe so. Modifying the X.509 attributes in the public certificate would change the certificate's thumbprint hash, and invalidate the signature from the CA that issued the certificate.

answered Jul 27 '12 at 04:43

Shane Madden

114,520
13
181
251

I sort of suspected this but wanted a second opinion. Oh well. Thanks anyway. – Boann Jul 27 '12 at 17:13

Remove specified OCSP responder from certificate

1 Answers1