SERVER-47811 Search the intermediate certificates for the issuer of the peer certificate

10 files changed, 331 insertions, 69 deletions

diff --git a/jstests/libs/ocsp/intermediate_ca_ocsp.crt b/jstests/libs/ocsp/intermediate_ca_ocsp.crt
new file mode 100644
index 00000000000..d7600f9148d
--- /dev/null
+++ b/jstests/libs/ocsp/intermediate_ca_ocsp.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDojCCAoqgAwIBAgIEF39OgDANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
+IFRlc3QgQ0EwHhcNMjAwNDIxMTkxNDUyWhcNNDAwNDIzMTkxNDUyWjB+MQswCQYD
+VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
+dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwY
+SW50ZXJtZWRpYXRlIENBIGZvciBPQ1NQMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAptgUN3L3jVBEbkqNL9d1tdTqgbg1dIYaRdt6dHBdl24mfyW5M/Tg
+oHJbsXOfjJrw8Beq5YNPbCZRsZN5u6cedElgUz1+hiTvaHuiUXVejtI0Qsx3p6Fm
+xykeu4BW1505KlV5JVNfDd/KTKBu2m3w+jRdBSaCxzyQx7V9MFyg6Xk9oWB5AVHm
+D5G71Qta6e5GiT58X50br2Xa5AHpnHjrjseNmIeSYVkIKDTYsh6MSogxT26sJ7aM
+3wwbYOK0BXmmyHuscS/B9cHmYTntcDTXfj6dZFwQd0Dr8Pa3TMk/dbm5DBwMRXvx
+lot90K46hflTvBfC+zHKwAHRjKcuaW2jOwIDAQABozIwMDAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBT/JWQaaKfjeSROC1wPOpepb+D8YTANBgkqhkiG9w0BAQsF
+AAOCAQEAcRPq5CjP8bXEMOX83/ZiGx0ueZGQKP7d+0Q2/hZyZIVk+kxjmQXuUsIK
+vpMlfxcUkcoPeO75bKWq2OxOaem0PcTeGf9XYDEfjoOrCQVQAnM+5oFbSjLgdW2n
+Otqe8A7i5IjXHMZMT0XmYu5LWCAM+wJAKDU0pEx4PyZjZIhmSHKl1uyB5ox/vjMU
+RjnPj58fawLKOCFbqnLZ24FdwrELqbqwcn/5pCoYxmOfjzMIAqTqgcewOQDoWV6c
+IXeG8yIqTdnxuFjEXe9lWrqsPVwhPlU9druF5plSSuHoJ6gDvSWDw5FuYU9afp5U
+xdj+V3ksSRqr2ad6DSqEPOohTy9Vvg==
+-----END CERTIFICATE-----
diff --git a/jstests/libs/ocsp/intermediate_ca_ocsp.key b/jstests/libs/ocsp/intermediate_ca_ocsp.key
new file mode 100644
index 00000000000..efe6f04e3c8
--- /dev/null
+++ b/jstests/libs/ocsp/intermediate_ca_ocsp.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCm2BQ3cveNUERu
+So0v13W11OqBuDV0hhpF23p0cF2XbiZ/Jbkz9OCgcluxc5+MmvDwF6rlg09sJlGx
+k3m7px50SWBTPX6GJO9oe6JRdV6O0jRCzHenoWbHKR67gFbXnTkqVXklU18N38pM
+oG7abfD6NF0FJoLHPJDHtX0wXKDpeT2hYHkBUeYPkbvVC1rp7kaJPnxfnRuvZdrk
+AemceOuOx42Yh5JhWQgoNNiyHoxKiDFPbqwntozfDBtg4rQFeabIe6xxL8H1weZh
+Oe1wNNd+Pp1kXBB3QOvw9rdMyT91ubkMHAxFe/GWi33QrjqF+VO8F8L7McrAAdGM
+py5pbaM7AgMBAAECggEAaw76If52lMntryvNXuaNlKjT9XsDagrm7u5/rBmyJIo8
+z5egOJOoU6wt5DcCKRH/CsDVG0LgAtCv2Rd9pIj/BLVUxvUNq/wlV1EF/eknTNPb
+TwWuvfTWY3OiUcRvdRlg5iZEf0v5EYkJYZQMrcKgP5y8F6L3her6J/vwIck+Q7FM
+LlFZfW+ztVK8d2H64wmpO0ErV1UTJkC0DMwGyhT2zfxfhiDD9riHZ9WU/RPmJe91
+6BfL8Vu9L8fH/hS/YLgThBRrP00ZOjETDDGlb94PRSLHU+AQD+nQ0X9PuuxZX+6U
+pNe1QkOAszU0ansfwCBlKwjTU6t8nloFWdWZUXgW+QKBgQDS/Wjff7O2MdowiNj9
+RVES62IsdLI4uIMQjLR3c2U78FsWfhIzzKXlmtROzaFPccwkW10i1YWosEv+dkzp
+o7Kiafb6pWxfucvts8hbw7dmUT22+N7zUqBK+Tpj6E//5JxmT9aZPPxbxMITlcpc
+7NHYtBFOizTEcU9TMXk4jCdY1QKBgQDKb8Z8hMhDZqEmOBlYI8efyXUNKh9BQKfi
+ptRzwsVbrYadQdGgNTUURMVZgr3z/3KeDAM+G71e3KqA5jKUMAufVUWQh3b+bU4C
+F+R64PxvC0D5kT3KnT2u6yI0qTtqSaDuwcW1G5J4E9M+GOApuLxOr92B+rA6deKR
+njpqJHETzwKBgDclJojrzqO7CeUPj28688K3JNSrt30dtJvZur1Rus7ctmH9l3JU
+dbO6MO1bz2J9Qrbp7kDRf/qkAWjDsLyMHX9XpMbD/7xRSlyZVa+uSrwCVdgB2fvM
+x7pww3MjX+1o6fvPuC4bA3ZUycjmqJp7BynVfoSB28vQNcRvtNgzwYD1AoGAa/D3
+1DN1GUNjEB7/nJjPe6sPB+r66W9RVbCBPgyP8ZdwXO/Yl+VnHRyiYl0tbio6cn2T
+SQ2/hxKAs+SK+as4t0ffpPYmg/nCi6kzwjWvRIKqrag9W4lGd7uW7J+EN+N0tXqL
+Mku2aOKhU84t0PFZL1fk88a5KyLqoZzOJwSxas8CgYEArqFmKddOAjdC+Y8n8nWT
+WrEPFts/YAp0KJGW0nDqN7ROKXyBuqrrKpOgXpxZTHRoFQ+RCsWHZOtZYD68Nmod
+yr/aGaixsHqIqSC8xu78DwXuOIIVuvEU06pAmCh2ALskKQZhA5sBL6qkw1PlgSDh
+WBzMfq3dw8n/557/q+IVnlE=
+-----END PRIVATE KEY-----
diff --git a/jstests/libs/ocsp/intermediate_ca_ocsp.pem b/jstests/libs/ocsp/intermediate_ca_ocsp.pem
new file mode 100644
index 00000000000..c6abc40d1d1
--- /dev/null
+++ b/jstests/libs/ocsp/intermediate_ca_ocsp.pem
@@ -0,0 +1,71 @@
+-----BEGIN CERTIFICATE-----
+MIIDojCCAoqgAwIBAgIEF39OgDANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
+IFRlc3QgQ0EwHhcNMjAwNDIxMTkxNDUyWhcNNDAwNDIzMTkxNDUyWjB+MQswCQYD
+VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
+dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwY
+SW50ZXJtZWRpYXRlIENBIGZvciBPQ1NQMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAptgUN3L3jVBEbkqNL9d1tdTqgbg1dIYaRdt6dHBdl24mfyW5M/Tg
+oHJbsXOfjJrw8Beq5YNPbCZRsZN5u6cedElgUz1+hiTvaHuiUXVejtI0Qsx3p6Fm
+xykeu4BW1505KlV5JVNfDd/KTKBu2m3w+jRdBSaCxzyQx7V9MFyg6Xk9oWB5AVHm
+D5G71Qta6e5GiT58X50br2Xa5AHpnHjrjseNmIeSYVkIKDTYsh6MSogxT26sJ7aM
+3wwbYOK0BXmmyHuscS/B9cHmYTntcDTXfj6dZFwQd0Dr8Pa3TMk/dbm5DBwMRXvx
+lot90K46hflTvBfC+zHKwAHRjKcuaW2jOwIDAQABozIwMDAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBT/JWQaaKfjeSROC1wPOpepb+D8YTANBgkqhkiG9w0BAQsF
+AAOCAQEAcRPq5CjP8bXEMOX83/ZiGx0ueZGQKP7d+0Q2/hZyZIVk+kxjmQXuUsIK
+vpMlfxcUkcoPeO75bKWq2OxOaem0PcTeGf9XYDEfjoOrCQVQAnM+5oFbSjLgdW2n
+Otqe8A7i5IjXHMZMT0XmYu5LWCAM+wJAKDU0pEx4PyZjZIhmSHKl1uyB5ox/vjMU
+RjnPj58fawLKOCFbqnLZ24FdwrELqbqwcn/5pCoYxmOfjzMIAqTqgcewOQDoWV6c
+IXeG8yIqTdnxuFjEXe9lWrqsPVwhPlU9druF5plSSuHoJ6gDvSWDw5FuYU9afp5U
+xdj+V3ksSRqr2ad6DSqEPOohTy9Vvg==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCm2BQ3cveNUERu
+So0v13W11OqBuDV0hhpF23p0cF2XbiZ/Jbkz9OCgcluxc5+MmvDwF6rlg09sJlGx
+k3m7px50SWBTPX6GJO9oe6JRdV6O0jRCzHenoWbHKR67gFbXnTkqVXklU18N38pM
+oG7abfD6NF0FJoLHPJDHtX0wXKDpeT2hYHkBUeYPkbvVC1rp7kaJPnxfnRuvZdrk
+AemceOuOx42Yh5JhWQgoNNiyHoxKiDFPbqwntozfDBtg4rQFeabIe6xxL8H1weZh
+Oe1wNNd+Pp1kXBB3QOvw9rdMyT91ubkMHAxFe/GWi33QrjqF+VO8F8L7McrAAdGM
+py5pbaM7AgMBAAECggEAaw76If52lMntryvNXuaNlKjT9XsDagrm7u5/rBmyJIo8
+z5egOJOoU6wt5DcCKRH/CsDVG0LgAtCv2Rd9pIj/BLVUxvUNq/wlV1EF/eknTNPb
+TwWuvfTWY3OiUcRvdRlg5iZEf0v5EYkJYZQMrcKgP5y8F6L3her6J/vwIck+Q7FM
+LlFZfW+ztVK8d2H64wmpO0ErV1UTJkC0DMwGyhT2zfxfhiDD9riHZ9WU/RPmJe91
+6BfL8Vu9L8fH/hS/YLgThBRrP00ZOjETDDGlb94PRSLHU+AQD+nQ0X9PuuxZX+6U
+pNe1QkOAszU0ansfwCBlKwjTU6t8nloFWdWZUXgW+QKBgQDS/Wjff7O2MdowiNj9
+RVES62IsdLI4uIMQjLR3c2U78FsWfhIzzKXlmtROzaFPccwkW10i1YWosEv+dkzp
+o7Kiafb6pWxfucvts8hbw7dmUT22+N7zUqBK+Tpj6E//5JxmT9aZPPxbxMITlcpc
+7NHYtBFOizTEcU9TMXk4jCdY1QKBgQDKb8Z8hMhDZqEmOBlYI8efyXUNKh9BQKfi
+ptRzwsVbrYadQdGgNTUURMVZgr3z/3KeDAM+G71e3KqA5jKUMAufVUWQh3b+bU4C
+F+R64PxvC0D5kT3KnT2u6yI0qTtqSaDuwcW1G5J4E9M+GOApuLxOr92B+rA6deKR
+njpqJHETzwKBgDclJojrzqO7CeUPj28688K3JNSrt30dtJvZur1Rus7ctmH9l3JU
+dbO6MO1bz2J9Qrbp7kDRf/qkAWjDsLyMHX9XpMbD/7xRSlyZVa+uSrwCVdgB2fvM
+x7pww3MjX+1o6fvPuC4bA3ZUycjmqJp7BynVfoSB28vQNcRvtNgzwYD1AoGAa/D3
+1DN1GUNjEB7/nJjPe6sPB+r66W9RVbCBPgyP8ZdwXO/Yl+VnHRyiYl0tbio6cn2T
+SQ2/hxKAs+SK+as4t0ffpPYmg/nCi6kzwjWvRIKqrag9W4lGd7uW7J+EN+N0tXqL
+Mku2aOKhU84t0PFZL1fk88a5KyLqoZzOJwSxas8CgYEArqFmKddOAjdC+Y8n8nWT
+WrEPFts/YAp0KJGW0nDqN7ROKXyBuqrrKpOgXpxZTHRoFQ+RCsWHZOtZYD68Nmod
+yr/aGaixsHqIqSC8xu78DwXuOIIVuvEU06pAmCh2ALskKQZhA5sBL6qkw1PlgSDh
+WBzMfq3dw8n/557/q+IVnlE=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDeTCCAmGgAwIBAgIEBdhiWzANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
+IFRlc3QgQ0EwHhcNMjAwMzIzMjIxMzA5WhcNNDAwMzI1MjIxMzA5WjB0MQswCQYD
+VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
+dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwO
+S2VybmVsIFRlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg
+H42hLFFnWFETIDs4Q3rjzJLB4mxqn7BiFDbhzivKGN8SMrIaoyg8CkNJWpJVYEBN
+BjaQHMzivBiQEjDbx2bWz7+rMjont9zJbNmMMuEZcqQw42SBlQ/xXBnIbvICGoXy
+7EkEH/kYzX7NjUhAHOJUdfyTW0okChPxOQr8CI07HVYmeelBZh6FPnzdQ5mgsbmk
+vsdesE1gvcfFtm/7Q6+GXp+1GDVGRUmPmHTYPIkjouJWQM++WU2KofSe5k9Rn1Oz
+ZE3jJAaB9gGA83/xcLkVLBe4dyE5foVbbXL7t37yB8R06/7ffV62B7sn0M5X/rfA
+UY5sJ6WOWdQz8k+WjXlXAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAAsY/vktUSwXC1MCC8cYtcrlI0EgGcvkcRxEjRv7t5YVZii6
+eqKSfaX5HDxKl8dH7Z95Z3sDqr7iwPFtzmzQHEwvSSKbiqeS9Be0yf6mJv10LC5d
+M9qoMvbp90ob3Jhib5IGzeijcQFfzbZa+MGnWiCGX04U/hUrayMdmna83exKbeNW
+S0LT1F82rG2QklFOFSZSInXsBiR4olRWqXrYpNjP4B5gueQ2+XUlMZdphvkOksCo
+/UBdqKotBFgyYXdMygl4hscxo+O4FRpX6RKVyobJXKax+mzbc9YUKTFtKu6KlZls
+jvqjtuXgmZvXOgduG5D8Sqoqp/q1nYzYpcgEss4=
+-----END CERTIFICATE-----
diff --git a/jstests/libs/ocsp/server_intermediate_ca_ocsp.pem b/jstests/libs/ocsp/server_intermediate_ca_ocsp.pem
new file mode 100644
index 00000000000..3aa49df8d1b
--- /dev/null
+++ b/jstests/libs/ocsp/server_intermediate_ca_ocsp.pem
@@ -0,0 +1,53 @@
+-----BEGIN CERTIFICATE-----
+MIIELzCCAxegAwIBAgIEc3NuKDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwYSW50ZXJt
+ZWRpYXRlIENBIGZvciBPQ1NQMB4XDTIwMDQyMTE5MTQ1MloXDTQwMDQyMzE5MTQ1
+MlowgYIxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwN
+TmV3IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVs
+MSUwIwYDVQQDDBxTZXJ2ZXIgT0NTUCBWaWEgSW50ZXJtZWRpYXRlMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8o7m7QpIMUZ2r6HOmhuqNF25x0odb9Bg
+rSLm7Hvb3WBu6jwWPrrnPerR/nODVEY4Qo7mOclgCsooJx3HaPYPgRYffRQMJ+I5
+lpvsRsBjW7CnS0amz9QcbGnIhMeFU45gCn51CTLPoBJ7hB9F4Z02bOJEMkkXkhtm
+kkiVysUs6po+t2+w8tojOScZdeDUtwfStKJ7Xb9B79Ko3BCcITXJUxDBcqUEJF+E
+v3YQuQg/QKNTO+L39aFFo8WNfuP09txdjT/+T8PZq826ccohRdSrJ5lq1hXmmKXp
+3p6Ut35aE4tjj6KSjDonMkYcvdNHQ0aL2p8x4JjwgwAuNwawTUbYIwIDAQABo4Gv
+MIGsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAdBgNVHQ4EFgQUyC6Gv0rfoato44VsaVig1SmminYwOAYIKwYB
+BQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vbG9jYWxob3N0OjgxMDAvc3Rh
+dHVzMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAogdunlFL04lqVbZyqPvN/5TtrEtM87invrzTYZ8UmT5Q4Kr8mHRsumBuVwDu
+bE+umrPtQVvu0XYqsjmjmOk7hTIK6PFuF6rLQCUBHVXBZggTNKFFBWphQ8odUbPG
+FmOqSlkZAkcNo3dLpxRbfDru2ARxeE2+sRCPWwUZc7utqpLoZ0deuKdDSlA/VcGJ
+5wf0sjmcjvJRRUSYeJcUox4ySL+4WtFu33LhYZKgnrMNegaJ6UyIlwB4ihMyi9sV
+yDlsY+vGqivqqMUw8V6tdUekCYPUlHWXeICqsRIBII+xMzqTv1rXPzNyAvyVYrBi
+hG10rdLfnQWn2vpYKU5b3Vo1yg==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDyjubtCkgxRnav
+oc6aG6o0XbnHSh1v0GCtIubse9vdYG7qPBY+uuc96tH+c4NURjhCjuY5yWAKyign
+Hcdo9g+BFh99FAwn4jmWm+xGwGNbsKdLRqbP1BxsaciEx4VTjmAKfnUJMs+gEnuE
+H0XhnTZs4kQySReSG2aSSJXKxSzqmj63b7Dy2iM5Jxl14NS3B9K0ontdv0Hv0qjc
+EJwhNclTEMFypQQkX4S/dhC5CD9Ao1M74vf1oUWjxY1+4/T23F2NP/5Pw9mrzbpx
+yiFF1KsnmWrWFeaYpenenpS3floTi2OPopKMOicyRhy900dDRovanzHgmPCDAC43
+BrBNRtgjAgMBAAECggEBAPIQ4y0U4c8rPy8wD/uEOGxiTREySgZYsuKWvlarlVRs
+9MQWiyy3YidMvZ1uslXcbjEeY2ywJ4UdEs1WzrdVOUveRDaTVz5Gaqp/mWFShtXu
+ikZ5j+hBCsy3FUJNzCUDJZ3TbgFsEADz8Qh+HUN3neU0OlLk1v0dE1RR1Au0k4rb
+yvMFRDcHLQ2u6AoZm1vkaV+/E8REObb5lutgs2719JJapAlbPT49ttlkfXvgt5kv
+Bnvt80S5+PEuyLNVRsdsRLaZZ4tZpmYenObb4kjiIbCHGRBkHXwXdsnLuqmxXSMb
+52cUsBFGaPUtvIUQh41kGSUNdnKjf1SndJKqE4m6nUECgYEA+gxQx8SGMuy7jEqD
+A/qU+aFF8brqeCb29YifY1eMjox+PvC4+2kG06Y3C/dvbA7eRxdU1PN5R/nPZMrX
++WxNbsnSJGtvvxZplygpj9DNzwKCH+4Z9dLk/+f7HqKv55c0eLt22PjnQ9GwVNEG
+UnEWDo6Wl5F6qw2HAdRGuQbvBjsCgYEA+FTyQuxOgWpjCw9FrtV3+nRqISGaKZMM
+pqvzPQQuA7Xer2UR4aW2lGtaA8y8Xgt2rBAPIlMggCIUXmWdkH6pwHSvIWhzCMhx
+cyFTAFFsFcQkhCIArVbGvhbBgR0Srtb8ncFx+qbqg1N4Uwm60trBQWgAapZpFhDi
+hXqRmSoDDzkCgYEAlGE+hmz+XbXRTVziBjhqsv+aq+mJPaeRoP5j5uWLCQQh3mOm
+wbn/TRUzUSyRuAPSr0kPFBcu/yEkiuE77EzyXi3xP59pfnFkU0iH8Ums94y7fwsh
+6JgvQBR/FhzgWYOGpaZIzlRVmA8UniAzqjRlLFo8ztCLhHnQhatcFGwi5wUCgYEA
+047KtOjMGMShjBJ+sut5Qw1aPM97nl+AL53douWkrdSK2bGpAitC2D58eTA6aYQq
+nXsw6XUYAxEFeUXobej6hNLjP/rTxW+99u803th+1Cw9T7QID6QVvGt2fqBeAkV1
+AJCEoZ0BvM+nelaXqnpimW4YrLVm4T2RPVWmJG3+HUECgYB+q+DztAUDCiVgVtxR
+wkwnl8WPgZI01b+bCP3d9HgL6zLt/AOYBDfsKuhQ23CPhNJvVmq3gi9xvufBM6jA
+lWhttgN+G72VmQmA84yXgi7b3T73E8ft0u0thJjPaddzAJOuLyYKzLI0KgOYe4Hk
+Glm8Afrwqqz3QQPj1mqrK5Rvlg==
+-----END PRIVATE KEY-----
diff --git a/jstests/ocsp/lib/mock_ocsp.js b/jstests/ocsp/lib/mock_ocsp.js
index 1d8691bd26e..2827ece5e4c 100644
--- a/jstests/ocsp/lib/mock_ocsp.js
+++ b/jstests/ocsp/lib/mock_ocsp.js
@@ -11,15 +11,35 @@ const FAULT_UNKNOWN = "unknown";
 
 const OCSP_PROGRAM = "jstests/ocsp/lib/ocsp_mock.py";
 
+class ResponderCertSet {
+    /**
+     * Set of certificates for the OCSP responder.'
+     * @param {string} cafile
+     * @param {string} certfile
+     * @param {string} keyfile
+     */
+    constructor(cafile, certfile, keyfile) {
+        this.cafile = cafile;
+        this.certfile = certfile;
+        this.keyfile = keyfile;
+    }
+}
+
+const OCSP_DELEGATE_RESPONDER =
+    new ResponderCertSet(OCSP_CA_PEM, OCSP_RESPONDER_CERT, OCSP_RESPONDER_KEY);
+const OCSP_CA_RESPONDER = new ResponderCertSet(OCSP_CA_PEM, OCSP_CA_CERT, OCSP_CA_KEY);
+const OCSP_INTERMEDIATE_RESPONDER = new ResponderCertSet(
+    OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_KEY);
+
 class MockOCSPServer {
     /**
      * Create a new OCSP Server.
      *
      * @param {string} fault_type
      * @param {number} next_update_secs
-     * @param {boolean} responder_is_ca
+     * @param {object} responder_certificate_set
      */
-    constructor(fault_type, next_update_secs, responder_is_ca = false) {
+    constructor(fault_type, next_update_secs, responder_certificate_set = OCSP_DELEGATE_RESPONDER) {
         this.python = "python3";
         this.fault_type = fault_type;
 
@@ -27,16 +47,11 @@ class MockOCSPServer {
             this.python = "python.exe";
         }
 
-        if (responder_is_ca) {
-            this.ocsp_cert_file = OCSP_CA_CERT;
-            this.ocsp_cert_key = OCSP_CA_KEY;
-        } else {
-            this.ocsp_cert_file = OCSP_RESPONDER_CERT;
-            this.ocsp_cert_key = OCSP_RESPONDER_KEY;
-        }
+        this.ca_file = responder_certificate_set.cafile;
+        this.ocsp_cert_file = responder_certificate_set.certfile;
+        this.ocsp_cert_key = responder_certificate_set.keyfile;
 
         print("Using python interpreter: " + this.python);
-        this.ca_file = OCSP_CA_PEM;
         // The port must be hard coded to match the port of the
         // responder in the certificates.
         this.port = 8100;
diff --git a/jstests/ocsp/lib/ocsp_helpers.js b/jstests/ocsp/lib/ocsp_helpers.js
index 9855c9405ad..073a13e6564 100644
--- a/jstests/ocsp/lib/ocsp_helpers.js
+++ b/jstests/ocsp/lib/ocsp_helpers.js
@@ -13,6 +13,10 @@ const OCSP_SERVER_MUSTSTAPLE_CERT = "jstests/libs/ocsp/server_ocsp_mustStaple.pe
 const OCSP_SERVER_CERT_REVOKED = "jstests/libs/ocsp/server_ocsp_revoked.pem";
 const OCSP_RESPONDER_CERT = "jstests/libs/ocsp/ocsp_responder.crt";
 const OCSP_RESPONDER_KEY = "jstests/libs/ocsp/ocsp_responder.key";
+const OCSP_INTERMEDIATE_CA_PEM = "jstests/libs/ocsp/intermediate_ca_ocsp.pem";
+const OCSP_INTERMEDIATE_CA_CERT = "jstests/libs/ocsp/intermediate_ca_ocsp.crt";
+const OCSP_INTERMEDIATE_CA_KEY = "jstests/libs/ocsp/intermediate_ca_ocsp.key";
+const OCSP_SERVER_INTERMEDIATE_CA_CERT = "jstests/libs/ocsp/server_intermediate_ca_ocsp.pem";
 
 var clearOCSPCache = function() {
     let provider = determineSSLProvider();
diff --git a/jstests/ocsp/ocsp_basic_ca_responder.js b/jstests/ocsp/ocsp_basic_ca_responder.js
index 0a13d0acad7..f3a7ca3d9fe 100644
--- a/jstests/ocsp/ocsp_basic_ca_responder.js
+++ b/jstests/ocsp/ocsp_basic_ca_responder.js
@@ -9,44 +9,54 @@ load("jstests/ocsp/lib/mock_ocsp.js");
 if (determineSSLProvider() === "apple") {
     return;
 }
+function test(serverCert, caCert, responderCertPair) {
+    clearOCSPCache();
+
+    const ocsp_options = {
+        sslMode: "requireSSL",
+        sslPEMKeyFile: serverCert,
+        sslCAFile: caCert,
+        sslAllowInvalidHostnames: "",
+        setParameter: {
+            "failpoint.disableStapling": "{'mode':'alwaysOn'}",
+            "ocspEnabled": "true",
+        },
+    };
+
+    // This is to test what happens when the responder is down,
+    // making sure that we soft fail.
+    let conn = null;
+
+    let mock_ocsp = new MockOCSPServer("", 1, responderCertPair);
+    mock_ocsp.start();
+
+    assert.doesNotThrow(() => {
+        conn = MongoRunner.runMongod(ocsp_options);
+    });
+
+    mock_ocsp.stop();
+    mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1, responderCertPair);
+    mock_ocsp.start();
+
+    assert.throws(() => {
+        new Mongo(conn.host);
+    });
+
+    MongoRunner.stopMongod(conn);
+
+    // The mongoRunner spawns a new Mongo Object to validate the collections which races
+    // with the shutdown logic of the mock_ocsp responder on some platforms. We need this
+    // sleep to make sure that the threads don't interfere with each other.
+    sleep(1000);
+    mock_ocsp.stop();
+}
+
+test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_CA_RESPONDER);
+
+// TODO: SERVER-47963 - remove this platform check.
+if (determineSSLProvider() === "windows") {
+    return;
+}
 
-clearOCSPCache();
-
-const ocsp_options = {
-    sslMode: "requireSSL",
-    sslPEMKeyFile: OCSP_SERVER_CERT,
-    sslCAFile: OCSP_CA_PEM,
-    sslAllowInvalidHostnames: "",
-    setParameter: {
-        "failpoint.disableStapling": "{'mode':'alwaysOn'}",
-        "ocspEnabled": "true",
-    },
-};
-
-// This is to test what happens when the responder is down,
-// making sure that we soft fail.
-let conn = null;
-
-let mock_ocsp = new MockOCSPServer("", 1, true);
-mock_ocsp.start();
-
-assert.doesNotThrow(() => {
-    conn = MongoRunner.runMongod(ocsp_options);
-});
-
-mock_ocsp.stop();
-mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1, true);
-mock_ocsp.start();
-
-assert.throws(() => {
-    new Mongo(conn.host);
-});
-
-MongoRunner.stopMongod(conn);
-
-// The mongoRunner spawns a new Mongo Object to validate the collections which races
-// with the shutdown logic of the mock_ocsp responder on some platforms. We need this
-// sleep to make sure that the threads don't interfere with each other.
-sleep(1000);
-mock_ocsp.stop();
+test(OCSP_SERVER_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_RESPONDER);
 }());
\ No newline at end of file
diff --git a/jstests/ocsp/ocsp_stapling.js b/jstests/ocsp/ocsp_stapling.js
index 02671770fb6..d3e72e72af3 100644
--- a/jstests/ocsp/ocsp_stapling.js
+++ b/jstests/ocsp/ocsp_stapling.js
@@ -14,11 +14,11 @@ if (!supportsStapling()) {
     return;
 }
 
-var test = function(responderCA) {
+function test(serverCert, caCert, responderCertPair) {
     const ocsp_options = {
         sslMode: "requireSSL",
-        sslPEMKeyFile: OCSP_SERVER_CERT,
-        sslCAFile: OCSP_CA_PEM,
+        sslPEMKeyFile: serverCert,
+        sslCAFile: caCert,
         sslAllowInvalidHostnames: "",
         setParameter: {
             "ocspEnabled": "true",
@@ -35,7 +35,7 @@ var test = function(responderCA) {
 
     MongoRunner.stopMongod(conn);
 
-    let mock_ocsp = new MockOCSPServer("", 1000, responderCA);
+    let mock_ocsp = new MockOCSPServer("", 1000, responderCertPair);
     mock_ocsp.start();
 
     // In this scenario, the Mongod has the ocsp response stapled
@@ -48,7 +48,7 @@ var test = function(responderCA) {
     });
     mock_ocsp.stop();
 
-    mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1000, responderCA);
+    mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1000, responderCertPair);
     mock_ocsp.start();
     assert.doesNotThrow(() => {
         new Mongo(conn.host);
@@ -70,7 +70,7 @@ var test = function(responderCA) {
     });
     mock_ocsp.stop();
 
-    mock_ocsp = new MockOCSPServer("", 1000, responderCA);
+    mock_ocsp = new MockOCSPServer("", 1000, responderCertPair);
     mock_ocsp.start();
 
     assert.throws(() => {
@@ -84,8 +84,9 @@ var test = function(responderCA) {
     // sleep to make sure that the threads don't interfere with each other.
     sleep(1000);
     mock_ocsp.stop();
-};
+}
 
-test(false);
-test(true);
+test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_DELEGATE_RESPONDER);
+test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_CA_RESPONDER);
+test(OCSP_SERVER_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_RESPONDER);
 }());
\ No newline at end of file
diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml
index ff36cd9d6ad..c07d4307e0a 100644
--- a/jstests/ssl/x509/certs.yml
+++ b/jstests/ssl/x509/certs.yml
@@ -427,6 +427,39 @@ certs:
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [clientAuth]
 
+# Intermediate OCSP tree
+- name: 'intermediate_ca_ocsp.pem'
+  description: CA issued by the primary OCSP CA, which then issues its own server OCSP cert.
+  Subject: {CN: 'Intermediate CA for OCSP'}
+  Issuer: 'ca_ocsp.pem'
+  include_header: false
+  append_cert: 'ca_ocsp.pem'
+  output_path: 'jstests/libs/ocsp/'
+  keyfile: 'intermediate_ca_ocsp.key'
+  crtfile: 'intermediate_ca_ocsp.crt'
+  extensions:
+    subjectKeyIdentifier: hash
+    basicConstraints:
+      critical: true
+      CA: true
+
+- name: 'server_intermediate_ca_ocsp.pem'
+  description: Server OCSP certificate signed by intermediate CA.
+  Subject: {CN: 'Server OCSP Via Intermediate'}
+  Issuer: 'intermediate_ca_ocsp.pem'
+  include_header: false
+  output_path: 'jstests/libs/ocsp/'
+  extensions:
+    basicConstraints: {CA: false}
+    subjectAltName:
+      DNS: localhost
+      IP: 127.0.0.1
+    authorityInfoAccess: 'OCSP;URI:http://localhost:8100/status'
+    subjectKeyIdentifier: hash
+    keyUsage: [digitalSignature, keyEncipherment]
+    extendedKeyUsage: [serverAuth, clientAuth]
+
+# OCSP Responder Certificate
 - name: 'ocsp_responder.pem'
   description: Certificate and key for the OCSP responder
   Subject:
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 28a5adf1969..03d728ab5d3 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -281,6 +281,10 @@ inline void X509_OBJECT_free(X509_OBJECT* a) {
     OPENSSL_free(a);
 }
 
+void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX* ctx, STACK_OF(X509) * sk) {
+    X509_STORE_CTX_set_chain(ctx, sk);
+}
+
 X509_OBJECT* X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX* vs, int type, X509_NAME* name) {
     X509_OBJECT* ret;
     ret = (X509_OBJECT*)OPENSSL_malloc(sizeof(X509_OBJECT));
@@ -460,18 +464,32 @@ struct X509_OBJECTFree {
 
 using UniqueX509Object = std::unique_ptr<X509_OBJECT, X509_OBJECTFree>;
 
-StatusWith<UniqueCertId> getCertIdForCert(SSL_CTX* context, X509* cert) {
-    // Look in the certificate store for the certificate that issued cert
+StatusWith<UniqueCertId> getCertIdForCert(SSL_CTX* context,
+                                          X509* cert,
+                                          STACK_OF(X509) * intermediateCerts) {
+    // First search the intermediate certificates for the issuer.
+    for (int i = 0; i < sk_X509_num(intermediateCerts); i++) {
+        if (X509_NAME_cmp(X509_get_issuer_name(cert),
+                          X509_get_subject_name(sk_X509_value(intermediateCerts, i))) == 0) {
+            return UniqueCertId(
+                OCSP_cert_to_id(nullptr, cert, sk_X509_value(intermediateCerts, i)));
+        }
+    }
+
     UniqueX509StoreCtx storeCtx(X509_STORE_CTX_new());
+
     if (!storeCtx) {
         return getSSLFailure("Could not create X509 store.");
     }
+
+    // Look in the certificate store for the certificate that issued cert
     if (X509_STORE_CTX_init(storeCtx.get(), SSL_CTX_get_cert_store(context), NULL, NULL) == 0) {
-        return getSSLFailure("Could not initialize the X509 Store Context.");
+        return getSSLFailure("Could not initialize the X509 Store Context for the SSL Context.");
     }
 
     UniqueX509Object obj(X509_STORE_CTX_get_obj_by_subject(
         storeCtx.get(), X509_LU_X509, X509_get_issuer_name(cert)));
+
     if (obj == nullptr) {
         return getSSLFailure("Could not get X509 Object from store.");
     }
@@ -595,7 +613,8 @@ StatusWith<std::vector<std::string>> addOCSPUrlToMap(
     SSL_CTX* context,
     X509* cert,
     std::map<std::string, OCSPRequestAndIDs>& ocspRequestMap,
-    OCSPCertIDSet& uniqueCertIds) {
+    OCSPCertIDSet& uniqueCertIds,
+    STACK_OF(X509) * intermediateCerts) {
 
     UniqueOpenSSLStringStack aiaOCSP(X509_get1_ocsp(cert));
     std::vector<std::string> responders;
@@ -627,7 +646,7 @@ StatusWith<std::vector<std::string>> addOCSPUrlToMap(
 
         HostAndPort hostAndPort(str::stream() << host << ":" << port);
 
-        auto swCertId = getCertIdForCert(context, cert);
+        auto swCertId = getCertIdForCert(context, cert, intermediateCerts);
         if (!swCertId.isOK()) {
             return swCertId.getStatus();
         }
@@ -637,7 +656,7 @@ StatusWith<std::vector<std::string>> addOCSPUrlToMap(
             return getSSLFailure("Could not get certificate ID for Map.");
         }
 
-        swCertId = getCertIdForCert(context, cert);
+        swCertId = getCertIdForCert(context, cert, intermediateCerts);
         if (!swCertId.isOK()) {
             return swCertId.getStatus();
         }
@@ -658,7 +677,7 @@ StatusWith<std::vector<std::string>> addOCSPUrlToMap(
         mapIter->second.certIDs.insert(std::move(certIDForArray));
     }
 
-    auto swCertId = getCertIdForCert(context, cert);
+    auto swCertId = getCertIdForCert(context, cert, intermediateCerts);
     if (!swCertId.isOK()) {
         return swCertId.getStatus();
     }
@@ -894,7 +913,8 @@ StatusWith<OCSPValidationContext> extractOcspUris(SSL_CTX* context,
     std::map<std::string, OCSPRequestAndIDs> ocspRequestMap;
     OCSPCertIDSet uniqueCertIds;
 
-    auto swLeafResponders = addOCSPUrlToMap(context, peerCert, ocspRequestMap, uniqueCertIds);
+    auto swLeafResponders =
+        addOCSPUrlToMap(context, peerCert, ocspRequestMap, uniqueCertIds, intermediateCerts);
     if (!swLeafResponders.isOK()) {
         return swLeafResponders.getStatus();
     }
@@ -1477,7 +1497,7 @@ StatusWith<bool> verifyStapledResponse(SSL* conn, X509* peerCert, OCSP_RESPONSE*
     auto intermediateCerts = SSLgetVerifiedChain(conn);
     OCSPCertIDSet emptyCertIDSet{};
 
-    auto swCertId = getCertIdForCert(SSL_get_SSL_CTX(conn), peerCert);
+    auto swCertId = getCertIdForCert(SSL_get_SSL_CTX(conn), peerCert, intermediateCerts.get());
     if (!swCertId.isOK()) {
         return swCertId.getStatus();
     }
@@ -1545,12 +1565,17 @@ int ocspClientCallback(SSL* ssl, void* arg) {
         if (swStapleOK.getStatus() == ErrorCodes::OCSPCertificateStatusRevoked) {
             LOGV2_DEBUG(23225,
                         1,
-                        "Stapled Certificate validation failed: {error}",
-                        "Stapled Certificate validation failed",
+                        "Stapled OCSP Response validation failed: {error}",
+                        "Stapled OCSP Response validation failed",
                         "error"_attr = swStapleOK.getStatus());
             return OCSP_CLIENT_RESPONSE_NOT_ACCEPTABLE;
         }
 
+        LOGV2_ERROR(4781101,
+                    "Stapled OCSP Response validation threw an error: {error}",
+                    "Stapled OCSP Response validation threw an error",
+                    "error"_attr = swStapleOK.getStatus());
+
         return OCSP_CLIENT_RESPONSE_ERROR;
     } else if (!swStapleOK.getValue()) {
         LOGV2_DEBUG(23226,