Details
-
Improvement
-
Resolution: Fixed
-
Major - P3
-
None
-
None
-
Fully Compatible
-
Security 2019-12-30
Description
While POCing OCSP using the .NET and Java drivers and server team's mock ocsp responder and certs in jstests/libs/ocsp that shreyaskal kindly pointed me at, I discovered I was unable to import the ca_ocsp certificate into a Java trust store.
keytool -import -trustcacerts -keystore cacerts -alias ca_ocsp -file ca_ocsp.pem
|
keytool error: java.lang.Exception: Input not an X.509 certificate
|
Further trial and error revealed that Java's keytool utility was willing to add a X.509 v3 certificate, but not the ca_ocsp.pem certificate because it appears to be an X.509 v1 certificate (see screenshot).

Updating mkcert.py to output v3 certificates seems to have solved this issue for me, and I've created a PR as the drivers team is planning on using the mock ocsp responder and the associated certificates for testing OCSP.
Attachments
Issue Links
- links to