summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorShreyas Kalyan <shreyas.kalyan@10gen.com>2021-04-07 14:26:02 -0400
committerEvergreen Agent <no-reply@evergreen.mongodb.com>2021-04-07 21:12:31 +0000
commit6eaf9b51d0f710e0088799f72b0812a18efc1b02 (patch)
tree71d83581142e98c8c906182137783d857459969f
parentae83ae0fa283efabb93c0fc55bf640cedd4916d7 (diff)
downloadmongo-6eaf9b51d0f710e0088799f72b0812a18efc1b02.tar.gz
SERVER-55122 Fix OCSP to allow intermediate certificates in tlsCertificateKeyFile
(cherry picked from commit 17c516775aa4f5848671340f21545b7dffdc2d74)
Diffstat
-rw-r--r--jstests/libs/ocsp/intermediate_ca_ocsp.crt30
-rw-r--r--jstests/libs/ocsp/intermediate_ca_ocsp.key52
-rw-r--r--jstests/libs/ocsp/intermediate_ca_ocsp.pem59
-rw-r--r--jstests/libs/ocsp/intermediate_ca_only_ocsp.crt22
-rw-r--r--jstests/libs/ocsp/intermediate_ca_only_ocsp.key28
-rw-r--r--jstests/libs/ocsp/intermediate_ca_only_ocsp.pem50
-rw-r--r--jstests/libs/ocsp/intermediate_ca_with_root_ocsp.pem44
-rw-r--r--jstests/libs/ocsp/intermediate_only_ca_ocsp.pem50
-rw-r--r--jstests/libs/ocsp/ocsp_server_intermediate_appended.pem48
-rw-r--r--jstests/libs/ocsp/server_and_intermediate_ca_appended_ocsp.pem75
-rw-r--r--jstests/libs/ocsp/server_signed_by_intermediate_ca_ocsp.pem53
-rw-r--r--jstests/libs/ocsp_server_intermediate_appended.pem26
-rw-r--r--jstests/ocsp/lib/mock_ocsp.js5
-rw-r--r--jstests/ocsp/lib/ocsp_helpers.js11
-rw-r--r--jstests/ocsp/ocsp_basic_ca_responder.js6
-rw-r--r--jstests/ocsp/ocsp_stapling.js7
-rw-r--r--jstests/ocsp/ocsp_unable_to_staple_log.js35
-rw-r--r--jstests/ssl/x509/certs.yml34
-rwxr-xr-xjstests/ssl/x509/mkcert.py2
-rw-r--r--src/mongo/util/net/ssl_manager_openssl.cpp24
20 files changed, 560 insertions, 101 deletions
diff --git a/jstests/libs/ocsp/intermediate_ca_ocsp.crt b/jstests/libs/ocsp/intermediate_ca_ocsp.crt
index d7600f9148d..a4193f87c93 100644
--- a/jstests/libs/ocsp/intermediate_ca_ocsp.crt
+++ b/jstests/libs/ocsp/intermediate_ca_ocsp.crt
@@ -1,22 +1,22 @@
-----BEGIN CERTIFICATE-----
-MIIDojCCAoqgAwIBAgIEF39OgDANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+MIIDojCCAoqgAwIBAgIEYLGF9TANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
-IFRlc3QgQ0EwHhcNMjAwNDIxMTkxNDUyWhcNNDAwNDIzMTkxNDUyWjB+MQswCQYD
+IFRlc3QgQ0EwHhcNMjEwMzA5MTY0MDMxWhcNNDEwMzExMTY0MDMxWjB+MQswCQYD
VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwY
SW50ZXJtZWRpYXRlIENBIGZvciBPQ1NQMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAptgUN3L3jVBEbkqNL9d1tdTqgbg1dIYaRdt6dHBdl24mfyW5M/Tg
-oHJbsXOfjJrw8Beq5YNPbCZRsZN5u6cedElgUz1+hiTvaHuiUXVejtI0Qsx3p6Fm
-xykeu4BW1505KlV5JVNfDd/KTKBu2m3w+jRdBSaCxzyQx7V9MFyg6Xk9oWB5AVHm
-D5G71Qta6e5GiT58X50br2Xa5AHpnHjrjseNmIeSYVkIKDTYsh6MSogxT26sJ7aM
-3wwbYOK0BXmmyHuscS/B9cHmYTntcDTXfj6dZFwQd0Dr8Pa3TMk/dbm5DBwMRXvx
-lot90K46hflTvBfC+zHKwAHRjKcuaW2jOwIDAQABozIwMDAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBT/JWQaaKfjeSROC1wPOpepb+D8YTANBgkqhkiG9w0BAQsF
-AAOCAQEAcRPq5CjP8bXEMOX83/ZiGx0ueZGQKP7d+0Q2/hZyZIVk+kxjmQXuUsIK
-vpMlfxcUkcoPeO75bKWq2OxOaem0PcTeGf9XYDEfjoOrCQVQAnM+5oFbSjLgdW2n
-Otqe8A7i5IjXHMZMT0XmYu5LWCAM+wJAKDU0pEx4PyZjZIhmSHKl1uyB5ox/vjMU
-RjnPj58fawLKOCFbqnLZ24FdwrELqbqwcn/5pCoYxmOfjzMIAqTqgcewOQDoWV6c
-IXeG8yIqTdnxuFjEXe9lWrqsPVwhPlU9druF5plSSuHoJ6gDvSWDw5FuYU9afp5U
-xdj+V3ksSRqr2ad6DSqEPOohTy9Vvg==
+MIIBCgKCAQEApP3UQTlZVYFjzvRREJbdqYBw1zF+NWayd+AFUqWzrW35TECxnmR0
+PEr+ILEucOfiPB/AwRoTCMF0IJk1y6l2ljxGs9vuGD/MdBtnxzJ3cVbzPTtVm5Q4
+kAmVJz7O+2cw70XGD3hruDMKGkAixRwLXp16ENl0jyJ6V44JBRfOQcZLG3geJgve
+cbp1KwkTASaRcYv+93tr9z5s92a/2UVXRuSK/Rf1+x+U4+GRVJh4/k8i9nP/ieYg
+92OGqhWr1ETdSv66SZ+sHd+4OftMbETqBdiTGj7GM+EszAEUTPYDabTvQlOBtdZH
+NYOLHGMxKxdEj5EyzE4y8WO7yk4W+TZItwIDAQABozIwMDAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBRRg4ZhgrLm0lO4jGm+fmVnaczaPzANBgkqhkiG9w0BAQsF
+AAOCAQEAZK3kybfwQ05q6BQevqkun9CKC3Vwhv6BLez5wOXW3gQ8BQdypKbSMEB8
+4RPEcy1zBU+6LPa8S+WE88EN85/0n/oS7N7MAgEpSWT8vflBm76nEfG4jG+l8h+Q
+yIp0e5/ITq/MtRx9EiRk+vU6l3Mkvqq+2a3T7pKhvE4jOIOyFtg5jr+p2n46WEw4
+g3N/BzbZLpz147KO7tYrelhIAAcbmeVUKlQOjtcljeGbZimRgt8kzJWBVNAS6tEj
+J8FTRLMX6HSTbVMx8tjq+MxF9hn1Ztc/3GIIuTvlGeTkLTS8atR4318YfMcZLlwm
+pt3Zd7lPfbW/gmFewm7GB5TL9rDfbA==
-----END CERTIFICATE-----
diff --git a/jstests/libs/ocsp/intermediate_ca_ocsp.key b/jstests/libs/ocsp/intermediate_ca_ocsp.key
index efe6f04e3c8..8d2c2725ee8 100644
--- a/jstests/libs/ocsp/intermediate_ca_ocsp.key
+++ b/jstests/libs/ocsp/intermediate_ca_ocsp.key
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCm2BQ3cveNUERu
-So0v13W11OqBuDV0hhpF23p0cF2XbiZ/Jbkz9OCgcluxc5+MmvDwF6rlg09sJlGx
-k3m7px50SWBTPX6GJO9oe6JRdV6O0jRCzHenoWbHKR67gFbXnTkqVXklU18N38pM
-oG7abfD6NF0FJoLHPJDHtX0wXKDpeT2hYHkBUeYPkbvVC1rp7kaJPnxfnRuvZdrk
-AemceOuOx42Yh5JhWQgoNNiyHoxKiDFPbqwntozfDBtg4rQFeabIe6xxL8H1weZh
-Oe1wNNd+Pp1kXBB3QOvw9rdMyT91ubkMHAxFe/GWi33QrjqF+VO8F8L7McrAAdGM
-py5pbaM7AgMBAAECggEAaw76If52lMntryvNXuaNlKjT9XsDagrm7u5/rBmyJIo8
-z5egOJOoU6wt5DcCKRH/CsDVG0LgAtCv2Rd9pIj/BLVUxvUNq/wlV1EF/eknTNPb
-TwWuvfTWY3OiUcRvdRlg5iZEf0v5EYkJYZQMrcKgP5y8F6L3her6J/vwIck+Q7FM
-LlFZfW+ztVK8d2H64wmpO0ErV1UTJkC0DMwGyhT2zfxfhiDD9riHZ9WU/RPmJe91
-6BfL8Vu9L8fH/hS/YLgThBRrP00ZOjETDDGlb94PRSLHU+AQD+nQ0X9PuuxZX+6U
-pNe1QkOAszU0ansfwCBlKwjTU6t8nloFWdWZUXgW+QKBgQDS/Wjff7O2MdowiNj9
-RVES62IsdLI4uIMQjLR3c2U78FsWfhIzzKXlmtROzaFPccwkW10i1YWosEv+dkzp
-o7Kiafb6pWxfucvts8hbw7dmUT22+N7zUqBK+Tpj6E//5JxmT9aZPPxbxMITlcpc
-7NHYtBFOizTEcU9TMXk4jCdY1QKBgQDKb8Z8hMhDZqEmOBlYI8efyXUNKh9BQKfi
-ptRzwsVbrYadQdGgNTUURMVZgr3z/3KeDAM+G71e3KqA5jKUMAufVUWQh3b+bU4C
-F+R64PxvC0D5kT3KnT2u6yI0qTtqSaDuwcW1G5J4E9M+GOApuLxOr92B+rA6deKR
-njpqJHETzwKBgDclJojrzqO7CeUPj28688K3JNSrt30dtJvZur1Rus7ctmH9l3JU
-dbO6MO1bz2J9Qrbp7kDRf/qkAWjDsLyMHX9XpMbD/7xRSlyZVa+uSrwCVdgB2fvM
-x7pww3MjX+1o6fvPuC4bA3ZUycjmqJp7BynVfoSB28vQNcRvtNgzwYD1AoGAa/D3
-1DN1GUNjEB7/nJjPe6sPB+r66W9RVbCBPgyP8ZdwXO/Yl+VnHRyiYl0tbio6cn2T
-SQ2/hxKAs+SK+as4t0ffpPYmg/nCi6kzwjWvRIKqrag9W4lGd7uW7J+EN+N0tXqL
-Mku2aOKhU84t0PFZL1fk88a5KyLqoZzOJwSxas8CgYEArqFmKddOAjdC+Y8n8nWT
-WrEPFts/YAp0KJGW0nDqN7ROKXyBuqrrKpOgXpxZTHRoFQ+RCsWHZOtZYD68Nmod
-yr/aGaixsHqIqSC8xu78DwXuOIIVuvEU06pAmCh2ALskKQZhA5sBL6qkw1PlgSDh
-WBzMfq3dw8n/557/q+IVnlE=
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCk/dRBOVlVgWPO
+9FEQlt2pgHDXMX41ZrJ34AVSpbOtbflMQLGeZHQ8Sv4gsS5w5+I8H8DBGhMIwXQg
+mTXLqXaWPEaz2+4YP8x0G2fHMndxVvM9O1WblDiQCZUnPs77ZzDvRcYPeGu4Mwoa
+QCLFHAtenXoQ2XSPInpXjgkFF85BxksbeB4mC95xunUrCRMBJpFxi/73e2v3Pmz3
+Zr/ZRVdG5Ir9F/X7H5Tj4ZFUmHj+TyL2c/+J5iD3Y4aqFavURN1K/rpJn6wd37g5
++0xsROoF2JMaPsYz4SzMARRM9gNptO9CU4G11kc1g4scYzErF0SPkTLMTjLxY7vK
+Thb5Nki3AgMBAAECggEAASkb7h2GKFjRp+oGC/TTuFaD9K+PcLa5OKilwPATdHva
+jhPCbBfOzYHFidtVNUwcRkn+5BzX127s7zHEtBsMD4B7CtbYNOl1+bcbosYTGwP+
+kAaz0nVXdIPsvarub8xJBtXZz9AMCe6p+odK91H8Ln0zF50/+aXHcIg6PgPt2n6U
+smChi15o1F6kdr+hwrqUpjW7NDN3Fs5lCH4dNw8I5PvpqPwl3IkwYG8e76A/9dJa
+Fe1mzrUcmXi57JwSePE+Q7/ncIfXYB964AkTMLabylaPsB5EKP587jfpEfXXfyXn
+Y+MLFCfP8dUXwu2nAr6vSWs3Ne4TGwWLLKGSP1UQuQKBgQDRBrQj75aN4hPulr9j
+MTLIXxNRBOEkKXv11mvZFEV1ljyyw3qCivIndJBLNLRDsY+cr6yOYVwvfF5sx6Si
+sF4N789yusRQr3iARJ67+fIJ04gOaIMW8iYzB9kr9eaLdpWSbbBkVG44aF28CiDb
+dgeEFFjXYY5u4T+V+YJPLuDrLQKBgQDKEc6SXndtATpU8Gq5DWcUthPwEVQmVYsF
+6EGWtU/fdVgTs1XmkFuRLy4VZcICK8+uGqN+bOMtr5gKJjEhAr2aDMqpm3keXdLz
+Xlf/El2zzQ1Pj+Jm69odeCqGHwXGQTMOF5bqvIngWi1A5ijS/N3BiNLwtzlcKm+P
+yJuJF+dh8wKBgQC7Nd7XpLlaIFcrxLZrl9/c2FKLqOwgoEsW9tGnHmHLnCCHF089
+ZkbWEa8+vFiLnJd8hVbuOsL/AMvtb63DzGSg5N0O67nybgZmE4972rPuGxfrl615
+Oq393JSkq9utoyr5d+aZJYmGWetCBGxDQuYeZL7hQM35/yIdJ9iPJPRrjQKBgCac
+rndjm7h1kprmcc44lGjtvfOSrBzDHdScI+RTcxbFCnaBPznWfdjJRioKjr7xdjbT
+mkgvMF3rfsb5s0uWhXppVVSBg+xci1G7xl7UOJmB5jg8y0tVaBFXg/Cq/uR6UvIv
+acQjEMmREbKkCEsAzLMNnRkoOcq1xSmZcLcKnUknAoGBAJjGDcvr/RsrP/fehxxs
+jqtxALg26wAUbfvgjrJxZ3sSmXvP++t8KcXHoAi9vbUXwHjdcq1GCiynmuJG/D4z
+u7oBsQnducfSTULsmdMIjnBTy6cdcilfgfX+3h/eUEDzF2R0vx3ugmJMUW4+iMm8
+CVLNHOr0uNpdrz5tOf6SpRhd
-----END PRIVATE KEY-----
diff --git a/jstests/libs/ocsp/intermediate_ca_ocsp.pem b/jstests/libs/ocsp/intermediate_ca_ocsp.pem
index c6abc40d1d1..5c77a6e454a 100644
--- a/jstests/libs/ocsp/intermediate_ca_ocsp.pem
+++ b/jstests/libs/ocsp/intermediate_ca_ocsp.pem
@@ -1,53 +1,26 @@
+
-----BEGIN CERTIFICATE-----
-MIIDojCCAoqgAwIBAgIEF39OgDANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+MIIDojCCAoqgAwIBAgIEYLGF9TANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
-IFRlc3QgQ0EwHhcNMjAwNDIxMTkxNDUyWhcNNDAwNDIzMTkxNDUyWjB+MQswCQYD
+IFRlc3QgQ0EwHhcNMjEwMzA5MTY0MDMxWhcNNDEwMzExMTY0MDMxWjB+MQswCQYD
VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwY
SW50ZXJtZWRpYXRlIENBIGZvciBPQ1NQMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAptgUN3L3jVBEbkqNL9d1tdTqgbg1dIYaRdt6dHBdl24mfyW5M/Tg
-oHJbsXOfjJrw8Beq5YNPbCZRsZN5u6cedElgUz1+hiTvaHuiUXVejtI0Qsx3p6Fm
-xykeu4BW1505KlV5JVNfDd/KTKBu2m3w+jRdBSaCxzyQx7V9MFyg6Xk9oWB5AVHm
-D5G71Qta6e5GiT58X50br2Xa5AHpnHjrjseNmIeSYVkIKDTYsh6MSogxT26sJ7aM
-3wwbYOK0BXmmyHuscS/B9cHmYTntcDTXfj6dZFwQd0Dr8Pa3TMk/dbm5DBwMRXvx
-lot90K46hflTvBfC+zHKwAHRjKcuaW2jOwIDAQABozIwMDAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBT/JWQaaKfjeSROC1wPOpepb+D8YTANBgkqhkiG9w0BAQsF
-AAOCAQEAcRPq5CjP8bXEMOX83/ZiGx0ueZGQKP7d+0Q2/hZyZIVk+kxjmQXuUsIK
-vpMlfxcUkcoPeO75bKWq2OxOaem0PcTeGf9XYDEfjoOrCQVQAnM+5oFbSjLgdW2n
-Otqe8A7i5IjXHMZMT0XmYu5LWCAM+wJAKDU0pEx4PyZjZIhmSHKl1uyB5ox/vjMU
-RjnPj58fawLKOCFbqnLZ24FdwrELqbqwcn/5pCoYxmOfjzMIAqTqgcewOQDoWV6c
-IXeG8yIqTdnxuFjEXe9lWrqsPVwhPlU9druF5plSSuHoJ6gDvSWDw5FuYU9afp5U
-xdj+V3ksSRqr2ad6DSqEPOohTy9Vvg==
+MIIBCgKCAQEApP3UQTlZVYFjzvRREJbdqYBw1zF+NWayd+AFUqWzrW35TECxnmR0
+PEr+ILEucOfiPB/AwRoTCMF0IJk1y6l2ljxGs9vuGD/MdBtnxzJ3cVbzPTtVm5Q4
+kAmVJz7O+2cw70XGD3hruDMKGkAixRwLXp16ENl0jyJ6V44JBRfOQcZLG3geJgve
+cbp1KwkTASaRcYv+93tr9z5s92a/2UVXRuSK/Rf1+x+U4+GRVJh4/k8i9nP/ieYg
+92OGqhWr1ETdSv66SZ+sHd+4OftMbETqBdiTGj7GM+EszAEUTPYDabTvQlOBtdZH
+NYOLHGMxKxdEj5EyzE4y8WO7yk4W+TZItwIDAQABozIwMDAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBRRg4ZhgrLm0lO4jGm+fmVnaczaPzANBgkqhkiG9w0BAQsF
+AAOCAQEAZK3kybfwQ05q6BQevqkun9CKC3Vwhv6BLez5wOXW3gQ8BQdypKbSMEB8
+4RPEcy1zBU+6LPa8S+WE88EN85/0n/oS7N7MAgEpSWT8vflBm76nEfG4jG+l8h+Q
+yIp0e5/ITq/MtRx9EiRk+vU6l3Mkvqq+2a3T7pKhvE4jOIOyFtg5jr+p2n46WEw4
+g3N/BzbZLpz147KO7tYrelhIAAcbmeVUKlQOjtcljeGbZimRgt8kzJWBVNAS6tEj
+J8FTRLMX6HSTbVMx8tjq+MxF9hn1Ztc/3GIIuTvlGeTkLTS8atR4318YfMcZLlwm
+pt3Zd7lPfbW/gmFewm7GB5TL9rDfbA==
-----END CERTIFICATE-----
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCm2BQ3cveNUERu
-So0v13W11OqBuDV0hhpF23p0cF2XbiZ/Jbkz9OCgcluxc5+MmvDwF6rlg09sJlGx
-k3m7px50SWBTPX6GJO9oe6JRdV6O0jRCzHenoWbHKR67gFbXnTkqVXklU18N38pM
-oG7abfD6NF0FJoLHPJDHtX0wXKDpeT2hYHkBUeYPkbvVC1rp7kaJPnxfnRuvZdrk
-AemceOuOx42Yh5JhWQgoNNiyHoxKiDFPbqwntozfDBtg4rQFeabIe6xxL8H1weZh
-Oe1wNNd+Pp1kXBB3QOvw9rdMyT91ubkMHAxFe/GWi33QrjqF+VO8F8L7McrAAdGM
-py5pbaM7AgMBAAECggEAaw76If52lMntryvNXuaNlKjT9XsDagrm7u5/rBmyJIo8
-z5egOJOoU6wt5DcCKRH/CsDVG0LgAtCv2Rd9pIj/BLVUxvUNq/wlV1EF/eknTNPb
-TwWuvfTWY3OiUcRvdRlg5iZEf0v5EYkJYZQMrcKgP5y8F6L3her6J/vwIck+Q7FM
-LlFZfW+ztVK8d2H64wmpO0ErV1UTJkC0DMwGyhT2zfxfhiDD9riHZ9WU/RPmJe91
-6BfL8Vu9L8fH/hS/YLgThBRrP00ZOjETDDGlb94PRSLHU+AQD+nQ0X9PuuxZX+6U
-pNe1QkOAszU0ansfwCBlKwjTU6t8nloFWdWZUXgW+QKBgQDS/Wjff7O2MdowiNj9
-RVES62IsdLI4uIMQjLR3c2U78FsWfhIzzKXlmtROzaFPccwkW10i1YWosEv+dkzp
-o7Kiafb6pWxfucvts8hbw7dmUT22+N7zUqBK+Tpj6E//5JxmT9aZPPxbxMITlcpc
-7NHYtBFOizTEcU9TMXk4jCdY1QKBgQDKb8Z8hMhDZqEmOBlYI8efyXUNKh9BQKfi
-ptRzwsVbrYadQdGgNTUURMVZgr3z/3KeDAM+G71e3KqA5jKUMAufVUWQh3b+bU4C
-F+R64PxvC0D5kT3KnT2u6yI0qTtqSaDuwcW1G5J4E9M+GOApuLxOr92B+rA6deKR
-njpqJHETzwKBgDclJojrzqO7CeUPj28688K3JNSrt30dtJvZur1Rus7ctmH9l3JU
-dbO6MO1bz2J9Qrbp7kDRf/qkAWjDsLyMHX9XpMbD/7xRSlyZVa+uSrwCVdgB2fvM
-x7pww3MjX+1o6fvPuC4bA3ZUycjmqJp7BynVfoSB28vQNcRvtNgzwYD1AoGAa/D3
-1DN1GUNjEB7/nJjPe6sPB+r66W9RVbCBPgyP8ZdwXO/Yl+VnHRyiYl0tbio6cn2T
-SQ2/hxKAs+SK+as4t0ffpPYmg/nCi6kzwjWvRIKqrag9W4lGd7uW7J+EN+N0tXqL
-Mku2aOKhU84t0PFZL1fk88a5KyLqoZzOJwSxas8CgYEArqFmKddOAjdC+Y8n8nWT
-WrEPFts/YAp0KJGW0nDqN7ROKXyBuqrrKpOgXpxZTHRoFQ+RCsWHZOtZYD68Nmod
-yr/aGaixsHqIqSC8xu78DwXuOIIVuvEU06pAmCh2ALskKQZhA5sBL6qkw1PlgSDh
-WBzMfq3dw8n/557/q+IVnlE=
------END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIEBdhiWzANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
diff --git a/jstests/libs/ocsp/intermediate_ca_only_ocsp.crt b/jstests/libs/ocsp/intermediate_ca_only_ocsp.crt
new file mode 100644
index 00000000000..618a550c2b4
--- /dev/null
+++ b/jstests/libs/ocsp/intermediate_ca_only_ocsp.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoTCCAomgAwIBAgIDJSA5MA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNVBAYTAlVT
+MREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0eTEQMA4G
+A1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVsMRcwFQYDVQQDDA5LZXJuZWwg
+VGVzdCBDQTAeFw0yMTAzMDkxODAxNDVaFw00MTAzMTExODAxNDVaMH4xCzAJBgNV
+BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0
+eTEQMA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVsMSEwHwYDVQQDDBhJ
+bnRlcm1lZGlhdGUgQ0EgZm9yIE9DU1AwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDejgY18iv98kFHs+qDEpUEYmzlgKaH6Z9XiURRLihURcjkwaQsVQmN
+9tUbSzr2rsKjjXhKMlFFxxb3dhiHKy/RvFwy0Jv2gHcUGWZmboTvAPpm8K2aMNep
+Tm570UyXWMGCxhw8vtO/fkT/UzJGqk4UVnv+uBepl3Lx+7Qrc4XvgLPkcx6NTNIu
+8+ex950c54fUrwHHuE8ZmqGYSZhozH8+lK0RiiC0VvbLfQhLZwSi2JeilsutBmNv
+9vUtnqz7Ij64risEqDTK9mdieEX1QwooZwDb7KZC26kh4AsnLR9U13a929K+O5R0
+5hUrWFR45EOgTWOkS4Pwi1he433fRDnvAgMBAAGjMjAwMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFG4AQc6znEV5v5AOokM27F+YNpEPMA0GCSqGSIb3DQEBCwUA
+A4IBAQA6fK8F68vqZ8WjX+G3lubpui/k1ke9ueozYnjxmwdwbWgJ9kH02h9f4uND
+4i8ZElpzaraRXHqrWf1PQvwAXwscDkQic2QaEgumei2j63UkwWd9DRWmrlVXKSzW
+LCwUtHU9NHZRKjMR3FjSWih5w1l3TWf24422awVkW3pVKiC3xchMCsUrK+mqzivj
+hZZ3sgdmCLO2/WYpiBPPsAupniRj5zZk3Kqrw4GmPb8IfFA7HYUEYuhmID9BcnSM
+J8Rfx7ZUvQREih92lALmQbN81x27WvxULhgOVoMMU1UlPqDZzL+eLoo+EuC5k38q
+cLpYeqs+gWeNrh1kzk0GeHmzvE+g
+-----END CERTIFICATE-----
diff --git a/jstests/libs/ocsp/intermediate_ca_only_ocsp.key b/jstests/libs/ocsp/intermediate_ca_only_ocsp.key
new file mode 100644
index 00000000000..d92a0c06b3c
--- /dev/null
+++ b/jstests/libs/ocsp/intermediate_ca_only_ocsp.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDejgY18iv98kFH
+s+qDEpUEYmzlgKaH6Z9XiURRLihURcjkwaQsVQmN9tUbSzr2rsKjjXhKMlFFxxb3
+dhiHKy/RvFwy0Jv2gHcUGWZmboTvAPpm8K2aMNepTm570UyXWMGCxhw8vtO/fkT/
+UzJGqk4UVnv+uBepl3Lx+7Qrc4XvgLPkcx6NTNIu8+ex950c54fUrwHHuE8ZmqGY
+SZhozH8+lK0RiiC0VvbLfQhLZwSi2JeilsutBmNv9vUtnqz7Ij64risEqDTK9mdi
+eEX1QwooZwDb7KZC26kh4AsnLR9U13a929K+O5R05hUrWFR45EOgTWOkS4Pwi1he
+433fRDnvAgMBAAECggEAeWwrX0tdTRPbIe+7Rv/gZZ/9oclrEkQYN34g09nHDxNz
+47ryg21x5Q6Cfn2xEd2PPAR3WKPTS6qvkRvRjg217UxDUUYXkYnNbh3djI1H4c46
+z+cIEFQNlcXA6bTrgLdf/KVxyoKirJuLsXIGwB8ysk3tIK/32QNUJ0oYpoxEysH8
+5QUukx5U/hkJt+RIuiFMqy5H/Ty7W9/5ShSI6wQswx0PSmOeHAIhx0Es99x6XN2n
+cKJ9ACxTfG9HzTy+PvNBoa+zWWFQVAKH7qT5nqGC2j8NRiBNydeIBTD2xYjayz51
+G2gWrCBsfqGWPLxFjvim+jO7fkhPQfIuG2U9OvlyYQKBgQDyy+i1JjjC/6ygyEeW
+jCH8CdcenCw21i+VRx6AssOJdLKCD7FUih6CBHDx/OY9RamXLow5jjK/Wz450EkW
+cJX52haJ0SasDpxWsteVczZ4lcPD8mwpm1zL/+v0SK36hXnPDQNi8kCupITPvrY9
+oJPXuy4AqsNtn33r3kVKihWRwwKBgQDqqFHpKDXSyGxALRaiFY3aSYTmGD1c9n/y
+J8XGz3VNJCrzMdMCS2HazoeEh20WkZA6OsAZTdAmRC88jKQtCfqNSiYvWu/AbaHy
+x2t6J6S28qYpme7GTBm6TZAcx4f9obxU4icI3klc5lwGLH5U96hT7sh03AG0PfgH
+zEkjuSPoZQKBgQDGot5avc94cVZZICG5YCI5og9V4q0lm+vH9CxXXGkvHsMgNxh8
+MpetBVcmEyKGhGSv5Awi1lxcQ5jQEcCJ1EhO5gbEb9F0uGtdXumTQnQRCW3k9INb
+MtkjqNfwvjlgGS1DoMDhhZI3jy99Cujr2GC8AU4si4hhOjf57ZnA1uG4owKBgQCj
+P1AkzZWMO2SbzQJW5nnWJ5luXeSqvM5MEAFWi1NGxGeg4sOyb/D2wQGkYHay4bed
+2utzbx/kz0CxdgJtVujYzIH+JdxvWZX2CWgrBlNf9zVD8dQcXirz4ivk6acg+xjD
+UMXpNIODPrs8jE2jHNwc8BzCt5/z3byk6Cjl0lI5xQKBgQDvpObhRYwho2J0H9pk
+L3c0GohnYcVZjdXMtPYE+ZzrJi3vHqmrAplGVTO8qZT/Vy8c09KocgwSjBGXMGJa
+6PVQULt2ox/c4XinKuB942Fl2YgA/nynh32BHFmAHUYaAMOE/2qbnVe506vBYqug
+bDx68eBArePbMhiDlOw8f2IRbQ==
+-----END PRIVATE KEY-----
diff --git a/jstests/libs/ocsp/intermediate_ca_only_ocsp.pem b/jstests/libs/ocsp/intermediate_ca_only_ocsp.pem
new file mode 100644
index 00000000000..daa003806ce
--- /dev/null
+++ b/jstests/libs/ocsp/intermediate_ca_only_ocsp.pem
@@ -0,0 +1,50 @@
+-----BEGIN CERTIFICATE-----
+MIIDoTCCAomgAwIBAgIDJSA5MA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNVBAYTAlVT
+MREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0eTEQMA4G
+A1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVsMRcwFQYDVQQDDA5LZXJuZWwg
+VGVzdCBDQTAeFw0yMTAzMDkxODAxNDVaFw00MTAzMTExODAxNDVaMH4xCzAJBgNV
+BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0
+eTEQMA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVsMSEwHwYDVQQDDBhJ
+bnRlcm1lZGlhdGUgQ0EgZm9yIE9DU1AwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDejgY18iv98kFHs+qDEpUEYmzlgKaH6Z9XiURRLihURcjkwaQsVQmN
+9tUbSzr2rsKjjXhKMlFFxxb3dhiHKy/RvFwy0Jv2gHcUGWZmboTvAPpm8K2aMNep
+Tm570UyXWMGCxhw8vtO/fkT/UzJGqk4UVnv+uBepl3Lx+7Qrc4XvgLPkcx6NTNIu
+8+ex950c54fUrwHHuE8ZmqGYSZhozH8+lK0RiiC0VvbLfQhLZwSi2JeilsutBmNv
+9vUtnqz7Ij64risEqDTK9mdieEX1QwooZwDb7KZC26kh4AsnLR9U13a929K+O5R0
+5hUrWFR45EOgTWOkS4Pwi1he433fRDnvAgMBAAGjMjAwMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFG4AQc6znEV5v5AOokM27F+YNpEPMA0GCSqGSIb3DQEBCwUA
+A4IBAQA6fK8F68vqZ8WjX+G3lubpui/k1ke9ueozYnjxmwdwbWgJ9kH02h9f4uND
+4i8ZElpzaraRXHqrWf1PQvwAXwscDkQic2QaEgumei2j63UkwWd9DRWmrlVXKSzW
+LCwUtHU9NHZRKjMR3FjSWih5w1l3TWf24422awVkW3pVKiC3xchMCsUrK+mqzivj
+hZZ3sgdmCLO2/WYpiBPPsAupniRj5zZk3Kqrw4GmPb8IfFA7HYUEYuhmID9BcnSM
+J8Rfx7ZUvQREih92lALmQbN81x27WvxULhgOVoMMU1UlPqDZzL+eLoo+EuC5k38q
+cLpYeqs+gWeNrh1kzk0GeHmzvE+g
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDejgY18iv98kFH
+s+qDEpUEYmzlgKaH6Z9XiURRLihURcjkwaQsVQmN9tUbSzr2rsKjjXhKMlFFxxb3
+dhiHKy/RvFwy0Jv2gHcUGWZmboTvAPpm8K2aMNepTm570UyXWMGCxhw8vtO/fkT/
+UzJGqk4UVnv+uBepl3Lx+7Qrc4XvgLPkcx6NTNIu8+ex950c54fUrwHHuE8ZmqGY
+SZhozH8+lK0RiiC0VvbLfQhLZwSi2JeilsutBmNv9vUtnqz7Ij64risEqDTK9mdi
+eEX1QwooZwDb7KZC26kh4AsnLR9U13a929K+O5R05hUrWFR45EOgTWOkS4Pwi1he
+433fRDnvAgMBAAECggEAeWwrX0tdTRPbIe+7Rv/gZZ/9oclrEkQYN34g09nHDxNz
+47ryg21x5Q6Cfn2xEd2PPAR3WKPTS6qvkRvRjg217UxDUUYXkYnNbh3djI1H4c46
+z+cIEFQNlcXA6bTrgLdf/KVxyoKirJuLsXIGwB8ysk3tIK/32QNUJ0oYpoxEysH8
+5QUukx5U/hkJt+RIuiFMqy5H/Ty7W9/5ShSI6wQswx0PSmOeHAIhx0Es99x6XN2n
+cKJ9ACxTfG9HzTy+PvNBoa+zWWFQVAKH7qT5nqGC2j8NRiBNydeIBTD2xYjayz51
+G2gWrCBsfqGWPLxFjvim+jO7fkhPQfIuG2U9OvlyYQKBgQDyy+i1JjjC/6ygyEeW
+jCH8CdcenCw21i+VRx6AssOJdLKCD7FUih6CBHDx/OY9RamXLow5jjK/Wz450EkW
+cJX52haJ0SasDpxWsteVczZ4lcPD8mwpm1zL/+v0SK36hXnPDQNi8kCupITPvrY9
+oJPXuy4AqsNtn33r3kVKihWRwwKBgQDqqFHpKDXSyGxALRaiFY3aSYTmGD1c9n/y
+J8XGz3VNJCrzMdMCS2HazoeEh20WkZA6OsAZTdAmRC88jKQtCfqNSiYvWu/AbaHy
+x2t6J6S28qYpme7GTBm6TZAcx4f9obxU4icI3klc5lwGLH5U96hT7sh03AG0PfgH
+zEkjuSPoZQKBgQDGot5avc94cVZZICG5YCI5og9V4q0lm+vH9CxXXGkvHsMgNxh8
+MpetBVcmEyKGhGSv5Awi1lxcQ5jQEcCJ1EhO5gbEb9F0uGtdXumTQnQRCW3k9INb
+MtkjqNfwvjlgGS1DoMDhhZI3jy99Cujr2GC8AU4si4hhOjf57ZnA1uG4owKBgQCj
+P1AkzZWMO2SbzQJW5nnWJ5luXeSqvM5MEAFWi1NGxGeg4sOyb/D2wQGkYHay4bed
+2utzbx/kz0CxdgJtVujYzIH+JdxvWZX2CWgrBlNf9zVD8dQcXirz4ivk6acg+xjD
+UMXpNIODPrs8jE2jHNwc8BzCt5/z3byk6Cjl0lI5xQKBgQDvpObhRYwho2J0H9pk
+L3c0GohnYcVZjdXMtPYE+ZzrJi3vHqmrAplGVTO8qZT/Vy8c09KocgwSjBGXMGJa
+6PVQULt2ox/c4XinKuB942Fl2YgA/nynh32BHFmAHUYaAMOE/2qbnVe506vBYqug
+bDx68eBArePbMhiDlOw8f2IRbQ==
+-----END PRIVATE KEY-----
diff --git a/jstests/libs/ocsp/intermediate_ca_with_root_ocsp.pem b/jstests/libs/ocsp/intermediate_ca_with_root_ocsp.pem
new file mode 100644
index 00000000000..6a5bb185080
--- /dev/null
+++ b/jstests/libs/ocsp/intermediate_ca_with_root_ocsp.pem
@@ -0,0 +1,44 @@
+
+-----BEGIN CERTIFICATE-----
+MIIDoTCCAomgAwIBAgIDJSA5MA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNVBAYTAlVT
+MREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0eTEQMA4G
+A1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVsMRcwFQYDVQQDDA5LZXJuZWwg
+VGVzdCBDQTAeFw0yMTAzMDkxODAxNDVaFw00MTAzMTExODAxNDVaMH4xCzAJBgNV
+BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0
+eTEQMA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVsMSEwHwYDVQQDDBhJ
+bnRlcm1lZGlhdGUgQ0EgZm9yIE9DU1AwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDejgY18iv98kFHs+qDEpUEYmzlgKaH6Z9XiURRLihURcjkwaQsVQmN
+9tUbSzr2rsKjjXhKMlFFxxb3dhiHKy/RvFwy0Jv2gHcUGWZmboTvAPpm8K2aMNep
+Tm570UyXWMGCxhw8vtO/fkT/UzJGqk4UVnv+uBepl3Lx+7Qrc4XvgLPkcx6NTNIu
+8+ex950c54fUrwHHuE8ZmqGYSZhozH8+lK0RiiC0VvbLfQhLZwSi2JeilsutBmNv
+9vUtnqz7Ij64risEqDTK9mdieEX1QwooZwDb7KZC26kh4AsnLR9U13a929K+O5R0
+5hUrWFR45EOgTWOkS4Pwi1he433fRDnvAgMBAAGjMjAwMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFG4AQc6znEV5v5AOokM27F+YNpEPMA0GCSqGSIb3DQEBCwUA
+A4IBAQA6fK8F68vqZ8WjX+G3lubpui/k1ke9ueozYnjxmwdwbWgJ9kH02h9f4uND
+4i8ZElpzaraRXHqrWf1PQvwAXwscDkQic2QaEgumei2j63UkwWd9DRWmrlVXKSzW
+LCwUtHU9NHZRKjMR3FjSWih5w1l3TWf24422awVkW3pVKiC3xchMCsUrK+mqzivj
+hZZ3sgdmCLO2/WYpiBPPsAupniRj5zZk3Kqrw4GmPb8IfFA7HYUEYuhmID9BcnSM
+J8Rfx7ZUvQREih92lALmQbN81x27WvxULhgOVoMMU1UlPqDZzL+eLoo+EuC5k38q
+cLpYeqs+gWeNrh1kzk0GeHmzvE+g
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDeTCCAmGgAwIBAgIEBdhiWzANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
+IFRlc3QgQ0EwHhcNMjAwMzIzMjIxMzA5WhcNNDAwMzI1MjIxMzA5WjB0MQswCQYD
+VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
+dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwO
+S2VybmVsIFRlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg
+H42hLFFnWFETIDs4Q3rjzJLB4mxqn7BiFDbhzivKGN8SMrIaoyg8CkNJWpJVYEBN
+BjaQHMzivBiQEjDbx2bWz7+rMjont9zJbNmMMuEZcqQw42SBlQ/xXBnIbvICGoXy
+7EkEH/kYzX7NjUhAHOJUdfyTW0okChPxOQr8CI07HVYmeelBZh6FPnzdQ5mgsbmk
+vsdesE1gvcfFtm/7Q6+GXp+1GDVGRUmPmHTYPIkjouJWQM++WU2KofSe5k9Rn1Oz
+ZE3jJAaB9gGA83/xcLkVLBe4dyE5foVbbXL7t37yB8R06/7ffV62B7sn0M5X/rfA
+UY5sJ6WOWdQz8k+WjXlXAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAAsY/vktUSwXC1MCC8cYtcrlI0EgGcvkcRxEjRv7t5YVZii6
+eqKSfaX5HDxKl8dH7Z95Z3sDqr7iwPFtzmzQHEwvSSKbiqeS9Be0yf6mJv10LC5d
+M9qoMvbp90ob3Jhib5IGzeijcQFfzbZa+MGnWiCGX04U/hUrayMdmna83exKbeNW
+S0LT1F82rG2QklFOFSZSInXsBiR4olRWqXrYpNjP4B5gueQ2+XUlMZdphvkOksCo
+/UBdqKotBFgyYXdMygl4hscxo+O4FRpX6RKVyobJXKax+mzbc9YUKTFtKu6KlZls
+jvqjtuXgmZvXOgduG5D8Sqoqp/q1nYzYpcgEss4=
+-----END CERTIFICATE-----
diff --git a/jstests/libs/ocsp/intermediate_only_ca_ocsp.pem b/jstests/libs/ocsp/intermediate_only_ca_ocsp.pem
new file mode 100644
index 00000000000..6baeb772242
--- /dev/null
+++ b/jstests/libs/ocsp/intermediate_only_ca_ocsp.pem
@@ -0,0 +1,50 @@
+-----BEGIN CERTIFICATE-----
+MIIDojCCAoqgAwIBAgIEYLGF9TANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
+IFRlc3QgQ0EwHhcNMjEwMzA5MTY0MDMxWhcNNDEwMzExMTY0MDMxWjB+MQswCQYD
+VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
+dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwY
+SW50ZXJtZWRpYXRlIENBIGZvciBPQ1NQMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEApP3UQTlZVYFjzvRREJbdqYBw1zF+NWayd+AFUqWzrW35TECxnmR0
+PEr+ILEucOfiPB/AwRoTCMF0IJk1y6l2ljxGs9vuGD/MdBtnxzJ3cVbzPTtVm5Q4
+kAmVJz7O+2cw70XGD3hruDMKGkAixRwLXp16ENl0jyJ6V44JBRfOQcZLG3geJgve
+cbp1KwkTASaRcYv+93tr9z5s92a/2UVXRuSK/Rf1+x+U4+GRVJh4/k8i9nP/ieYg
+92OGqhWr1ETdSv66SZ+sHd+4OftMbETqBdiTGj7GM+EszAEUTPYDabTvQlOBtdZH
+NYOLHGMxKxdEj5EyzE4y8WO7yk4W+TZItwIDAQABozIwMDAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBRRg4ZhgrLm0lO4jGm+fmVnaczaPzANBgkqhkiG9w0BAQsF
+AAOCAQEAZK3kybfwQ05q6BQevqkun9CKC3Vwhv6BLez5wOXW3gQ8BQdypKbSMEB8
+4RPEcy1zBU+6LPa8S+WE88EN85/0n/oS7N7MAgEpSWT8vflBm76nEfG4jG+l8h+Q
+yIp0e5/ITq/MtRx9EiRk+vU6l3Mkvqq+2a3T7pKhvE4jOIOyFtg5jr+p2n46WEw4
+g3N/BzbZLpz147KO7tYrelhIAAcbmeVUKlQOjtcljeGbZimRgt8kzJWBVNAS6tEj
+J8FTRLMX6HSTbVMx8tjq+MxF9hn1Ztc/3GIIuTvlGeTkLTS8atR4318YfMcZLlwm
+pt3Zd7lPfbW/gmFewm7GB5TL9rDfbA==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCk/dRBOVlVgWPO
+9FEQlt2pgHDXMX41ZrJ34AVSpbOtbflMQLGeZHQ8Sv4gsS5w5+I8H8DBGhMIwXQg
+mTXLqXaWPEaz2+4YP8x0G2fHMndxVvM9O1WblDiQCZUnPs77ZzDvRcYPeGu4Mwoa
+QCLFHAtenXoQ2XSPInpXjgkFF85BxksbeB4mC95xunUrCRMBJpFxi/73e2v3Pmz3
+Zr/ZRVdG5Ir9F/X7H5Tj4ZFUmHj+TyL2c/+J5iD3Y4aqFavURN1K/rpJn6wd37g5
++0xsROoF2JMaPsYz4SzMARRM9gNptO9CU4G11kc1g4scYzErF0SPkTLMTjLxY7vK
+Thb5Nki3AgMBAAECggEAASkb7h2GKFjRp+oGC/TTuFaD9K+PcLa5OKilwPATdHva
+jhPCbBfOzYHFidtVNUwcRkn+5BzX127s7zHEtBsMD4B7CtbYNOl1+bcbosYTGwP+
+kAaz0nVXdIPsvarub8xJBtXZz9AMCe6p+odK91H8Ln0zF50/+aXHcIg6PgPt2n6U
+smChi15o1F6kdr+hwrqUpjW7NDN3Fs5lCH4dNw8I5PvpqPwl3IkwYG8e76A/9dJa
+Fe1mzrUcmXi57JwSePE+Q7/ncIfXYB964AkTMLabylaPsB5EKP587jfpEfXXfyXn
+Y+MLFCfP8dUXwu2nAr6vSWs3Ne4TGwWLLKGSP1UQuQKBgQDRBrQj75aN4hPulr9j
+MTLIXxNRBOEkKXv11mvZFEV1ljyyw3qCivIndJBLNLRDsY+cr6yOYVwvfF5sx6Si
+sF4N789yusRQr3iARJ67+fIJ04gOaIMW8iYzB9kr9eaLdpWSbbBkVG44aF28CiDb
+dgeEFFjXYY5u4T+V+YJPLuDrLQKBgQDKEc6SXndtATpU8Gq5DWcUthPwEVQmVYsF
+6EGWtU/fdVgTs1XmkFuRLy4VZcICK8+uGqN+bOMtr5gKJjEhAr2aDMqpm3keXdLz
+Xlf/El2zzQ1Pj+Jm69odeCqGHwXGQTMOF5bqvIngWi1A5ijS/N3BiNLwtzlcKm+P
+yJuJF+dh8wKBgQC7Nd7XpLlaIFcrxLZrl9/c2FKLqOwgoEsW9tGnHmHLnCCHF089
+ZkbWEa8+vFiLnJd8hVbuOsL/AMvtb63DzGSg5N0O67nybgZmE4972rPuGxfrl615
+Oq393JSkq9utoyr5d+aZJYmGWetCBGxDQuYeZL7hQM35/yIdJ9iPJPRrjQKBgCac
+rndjm7h1kprmcc44lGjtvfOSrBzDHdScI+RTcxbFCnaBPznWfdjJRioKjr7xdjbT
+mkgvMF3rfsb5s0uWhXppVVSBg+xci1G7xl7UOJmB5jg8y0tVaBFXg/Cq/uR6UvIv
+acQjEMmREbKkCEsAzLMNnRkoOcq1xSmZcLcKnUknAoGBAJjGDcvr/RsrP/fehxxs
+jqtxALg26wAUbfvgjrJxZ3sSmXvP++t8KcXHoAi9vbUXwHjdcq1GCiynmuJG/D4z
+u7oBsQnducfSTULsmdMIjnBTy6cdcilfgfX+3h/eUEDzF2R0vx3ugmJMUW4+iMm8
+CVLNHOr0uNpdrz5tOf6SpRhd
+-----END PRIVATE KEY-----
diff --git a/jstests/libs/ocsp/ocsp_server_intermediate_appended.pem b/jstests/libs/ocsp/ocsp_server_intermediate_appended.pem
new file mode 100644
index 00000000000..e3065485238
--- /dev/null
+++ b/jstests/libs/ocsp/ocsp_server_intermediate_appended.pem
@@ -0,0 +1,48 @@
+
+-----BEGIN CERTIFICATE-----
+MIIELzCCAxegAwIBAgIEc3NuKDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwYSW50ZXJt
+ZWRpYXRlIENBIGZvciBPQ1NQMB4XDTIwMDQyMTE5MTQ1MloXDTQwMDQyMzE5MTQ1
+MlowgYIxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwN
+TmV3IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVs
+MSUwIwYDVQQDDBxTZXJ2ZXIgT0NTUCBWaWEgSW50ZXJtZWRpYXRlMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8o7m7QpIMUZ2r6HOmhuqNF25x0odb9Bg
+rSLm7Hvb3WBu6jwWPrrnPerR/nODVEY4Qo7mOclgCsooJx3HaPYPgRYffRQMJ+I5
+lpvsRsBjW7CnS0amz9QcbGnIhMeFU45gCn51CTLPoBJ7hB9F4Z02bOJEMkkXkhtm
+kkiVysUs6po+t2+w8tojOScZdeDUtwfStKJ7Xb9B79Ko3BCcITXJUxDBcqUEJF+E
+v3YQuQg/QKNTO+L39aFFo8WNfuP09txdjT/+T8PZq826ccohRdSrJ5lq1hXmmKXp
+3p6Ut35aE4tjj6KSjDonMkYcvdNHQ0aL2p8x4JjwgwAuNwawTUbYIwIDAQABo4Gv
+MIGsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAdBgNVHQ4EFgQUyC6Gv0rfoato44VsaVig1SmminYwOAYIKwYB
+BQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vbG9jYWxob3N0OjgxMDAvc3Rh
+dHVzMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAogdunlFL04lqVbZyqPvN/5TtrEtM87invrzTYZ8UmT5Q4Kr8mHRsumBuVwDu
+bE+umrPtQVvu0XYqsjmjmOk7hTIK6PFuF6rLQCUBHVXBZggTNKFFBWphQ8odUbPG
+FmOqSlkZAkcNo3dLpxRbfDru2ARxeE2+sRCPWwUZc7utqpLoZ0deuKdDSlA/VcGJ
+5wf0sjmcjvJRRUSYeJcUox4ySL+4WtFu33LhYZKgnrMNegaJ6UyIlwB4ihMyi9sV
+yDlsY+vGqivqqMUw8V6tdUekCYPUlHWXeICqsRIBII+xMzqTv1rXPzNyAvyVYrBi
+hG10rdLfnQWn2vpYKU5b3Vo1yg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDojCCAoqgAwIBAgIEYLGF9TANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
+IFRlc3QgQ0EwHhcNMjEwMzA5MTY0MDMxWhcNNDEwMzExMTY0MDMxWjB+MQswCQYD
+VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
+dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwY
+SW50ZXJtZWRpYXRlIENBIGZvciBPQ1NQMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEApP3UQTlZVYFjzvRREJbdqYBw1zF+NWayd+AFUqWzrW35TECxnmR0
+PEr+ILEucOfiPB/AwRoTCMF0IJk1y6l2ljxGs9vuGD/MdBtnxzJ3cVbzPTtVm5Q4
+kAmVJz7O+2cw70XGD3hruDMKGkAixRwLXp16ENl0jyJ6V44JBRfOQcZLG3geJgve
+cbp1KwkTASaRcYv+93tr9z5s92a/2UVXRuSK/Rf1+x+U4+GRVJh4/k8i9nP/ieYg
+92OGqhWr1ETdSv66SZ+sHd+4OftMbETqBdiTGj7GM+EszAEUTPYDabTvQlOBtdZH
+NYOLHGMxKxdEj5EyzE4y8WO7yk4W+TZItwIDAQABozIwMDAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBRRg4ZhgrLm0lO4jGm+fmVnaczaPzANBgkqhkiG9w0BAQsF
+AAOCAQEAZK3kybfwQ05q6BQevqkun9CKC3Vwhv6BLez5wOXW3gQ8BQdypKbSMEB8
+4RPEcy1zBU+6LPa8S+WE88EN85/0n/oS7N7MAgEpSWT8vflBm76nEfG4jG+l8h+Q
+yIp0e5/ITq/MtRx9EiRk+vU6l3Mkvqq+2a3T7pKhvE4jOIOyFtg5jr+p2n46WEw4
+g3N/BzbZLpz147KO7tYrelhIAAcbmeVUKlQOjtcljeGbZimRgt8kzJWBVNAS6tEj
+J8FTRLMX6HSTbVMx8tjq+MxF9hn1Ztc/3GIIuTvlGeTkLTS8atR4318YfMcZLlwm
+pt3Zd7lPfbW/gmFewm7GB5TL9rDfbA==
+-----END CERTIFICATE-----
diff --git a/jstests/libs/ocsp/server_and_intermediate_ca_appended_ocsp.pem b/jstests/libs/ocsp/server_and_intermediate_ca_appended_ocsp.pem
new file mode 100644
index 00000000000..40e51eabb81
--- /dev/null
+++ b/jstests/libs/ocsp/server_and_intermediate_ca_appended_ocsp.pem
@@ -0,0 +1,75 @@
+-----BEGIN CERTIFICATE-----
+MIIELzCCAxegAwIBAgIEePoaqDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwYSW50ZXJt
+ZWRpYXRlIENBIGZvciBPQ1NQMB4XDTIxMDMwOTE5NTcyM1oXDTQxMDMxMTE5NTcy
+M1owgYIxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwN
+TmV3IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVs
+MSUwIwYDVQQDDBxTZXJ2ZXIgT0NTUCBWaWEgSW50ZXJtZWRpYXRlMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArHG+UhzjMVQ7ldegRTCPzNi+1L2U4BnC
+oYVd9ygLDYO9m6Kj+znX6qOLcMuPtHv6AUcUgpf+h311kxeERx/kzxHMm1DPqG74
+nimcqnTI2wPZJOshVC3MMR3EKosUzqPtKAEiDsjrnyjZzlfrL08ditesI0jNxm2j
+8p8I26pfkkiUDiGpa890Ee2y7Iwwfykxe4dTwu2pPD/ilPeOL2hUi4POJQp67vJ9
+l3Qf41ArfsQoMdw3P8SEBxHvQXLCMZCSrW238cjC4ANPNppPoeCJYhLVUGb4JVhW
+jcJjNN78nPmxkdbmKtkzNdk+P2AgBFEKkw9PWd/qTMik5rzatYY8ZwIDAQABo4Gv
+MIGsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAdBgNVHQ4EFgQUYv47XOLpssfaLd513A2Vc5qMBFwwOAYIKwYB
+BQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vbG9jYWxob3N0OjgxMDAvc3Rh
+dHVzMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAuUVDwq9a0Y7JwJc8mLYHKYiPGOa37wqRvsvTy6IHeboIrwtEYyd1m8KEKv2t
+rXypehm0orCO+Bkc/7hdVH/xm9u5iZ417CdIUI+siGBN8V6X47FyuIpRJCPNBLPb
+Ecgklfrn8ceYPT991wp6QigNozPAIP5Xaol7X3rL6Ne2rx1OD3/MS3xeeHduuKOL
+kd9/rrccvcu+MkICwhuSzIIZvOFClG5pXGyvG4ZMo8mggWyQVoSHMc3/e8K+KvcL
+3Zojni2vXLNgFv0n4P8gRFwzxztq+/PgS6H4YYA6BomrIqm0PwaZdbTEeUetiYG9
+Qc9+kwTSRF6cIYg4h7Xq/luNRw==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCscb5SHOMxVDuV
+16BFMI/M2L7UvZTgGcKhhV33KAsNg72boqP7Odfqo4twy4+0e/oBRxSCl/6HfXWT
+F4RHH+TPEcybUM+obvieKZyqdMjbA9kk6yFULcwxHcQqixTOo+0oASIOyOufKNnO
+V+svTx2K16wjSM3GbaPynwjbql+SSJQOIalrz3QR7bLsjDB/KTF7h1PC7ak8P+KU
+944vaFSLg84lCnru8n2XdB/jUCt+xCgx3Dc/xIQHEe9BcsIxkJKtbbfxyMLgA082
+mk+h4IliEtVQZvglWFaNwmM03vyc+bGR1uYq2TM12T4/YCAEUQqTD09Z3+pMyKTm
+vNq1hjxnAgMBAAECggEAAMVdaXaRmXXb8laNc+G8stjBOahDUyEqWpiDDAjUy9Gr
+9lcqzoO6sGTcybtPQCpRutG7iL3vOGHaNbckM0E0P6y/sm4RD5q3Z9WdyrFM+JWy
+0dRvSLYPtKSCbQJELIxVEhm3MkO5sfN3zdFcztBWvHksXtgDe4Cf/AS0AG9pj/jb
+Ncd1AvrPJbh1IyOHBUdli/Dc8rNjAU3VwQgND4OJWzUSS0zyKOQjy/FE6LQo2jbf
+XRxUtSFnSSDRxg8UFhCsdySlnpcM88Ve18vx7YAUX5lQMxxHiNijkMeByASd9yCl
++XuDEt0IT5FnNOfEHXmbuwAnyDZNyYpqubpfYramyQKBgQDlc0bxj8zz+ZluTChM
+n/dtp5JHZCWYSwPZbQY1Nj3btkjqNZk4F4LQ0qpA4goRJ2VoscfKcJOYR+/VsjTX
+UmDGuaHcVHNJS9j7vzOxfIJ+fUhWdpfZdL47O2mKNQT5lfeaeglrn+EyGrozuyRB
++OR84/Ty/MdJAZAm9tI/Toey2wKBgQDAZdknUF8A8Vthz90yrQca57HecbX5nz6b
+LxpU/COYgroD8Bs7/n3tWiMez2lwg0vlFcC07Mz0BPBiL0MIc+3N3BuS44UORF/1
+1RL7PrLnWiSqKqV90McuLZZkVgB4VDuqoyw6buq/DWRDCe/V+HGdwK1V7S9Y6S+F
+rI3kuDfEZQKBgHCXW6WnmbvSrB56kn/fM0wEoXwUwXn0vYPQwu4TmtEYprj+6huj
+NdcAuPizspruSQ3RxycojNR54E9tbg6G5uQ9LRbv/c5mwKfwEA60+VfWZEvBUAwu
+BDcOlWBzWeibVW/hGIROZPPwN5Sw7T7OQliih41Ayw2hDbqA/XSBNYdnAoGBAKIY
+bOcJeLFDp3j19ufODXFmiV3fMbDYsJdwDOBS+e5xHSVaMqfOFuxVB8faeXwYsmWU
+eSI1a8ufKaOfK/vAKDdLXVPZKm3Fv49PcEmLHpF6Se+wNHOW5WkLcWyhZI38cbSm
++wlUD6TdNH6irZT5V0fQYHlHdp+S/r3Bjl6HsjxdAoGBAIZZ/lOi4FReDDDoYddu
+j52Fs9eVon4ie7SpVhvR2HIc7jFJ8nHEuSwMJzXnAGFL/s90Xn2sgejE4upqRoAa
+VhYBi3W9dq3eiZxz/2tWDMipg1z75eyKGWZUZG0I2513GOIM9PXXjT4A/w2FeVgF
+taWKxpF9r6U/mvqKi2scJeuj
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDoTCCAomgAwIBAgIDJSA5MA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNVBAYTAlVT
+MREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0eTEQMA4G
+A1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVsMRcwFQYDVQQDDA5LZXJuZWwg
+VGVzdCBDQTAeFw0yMTAzMDkxODAxNDVaFw00MTAzMTExODAxNDVaMH4xCzAJBgNV
+BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0
+eTEQMA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVsMSEwHwYDVQQDDBhJ
+bnRlcm1lZGlhdGUgQ0EgZm9yIE9DU1AwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDejgY18iv98kFHs+qDEpUEYmzlgKaH6Z9XiURRLihURcjkwaQsVQmN
+9tUbSzr2rsKjjXhKMlFFxxb3dhiHKy/RvFwy0Jv2gHcUGWZmboTvAPpm8K2aMNep
+Tm570UyXWMGCxhw8vtO/fkT/UzJGqk4UVnv+uBepl3Lx+7Qrc4XvgLPkcx6NTNIu
+8+ex950c54fUrwHHuE8ZmqGYSZhozH8+lK0RiiC0VvbLfQhLZwSi2JeilsutBmNv
+9vUtnqz7Ij64risEqDTK9mdieEX1QwooZwDb7KZC26kh4AsnLR9U13a929K+O5R0
+5hUrWFR45EOgTWOkS4Pwi1he433fRDnvAgMBAAGjMjAwMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFG4AQc6znEV5v5AOokM27F+YNpEPMA0GCSqGSIb3DQEBCwUA
+A4IBAQA6fK8F68vqZ8WjX+G3lubpui/k1ke9ueozYnjxmwdwbWgJ9kH02h9f4uND
+4i8ZElpzaraRXHqrWf1PQvwAXwscDkQic2QaEgumei2j63UkwWd9DRWmrlVXKSzW
+LCwUtHU9NHZRKjMR3FjSWih5w1l3TWf24422awVkW3pVKiC3xchMCsUrK+mqzivj
+hZZ3sgdmCLO2/WYpiBPPsAupniRj5zZk3Kqrw4GmPb8IfFA7HYUEYuhmID9BcnSM
+J8Rfx7ZUvQREih92lALmQbN81x27WvxULhgOVoMMU1UlPqDZzL+eLoo+EuC5k38q
+cLpYeqs+gWeNrh1kzk0GeHmzvE+g
+-----END CERTIFICATE-----
diff --git a/jstests/libs/ocsp/server_signed_by_intermediate_ca_ocsp.pem b/jstests/libs/ocsp/server_signed_by_intermediate_ca_ocsp.pem
new file mode 100644
index 00000000000..2ddad25ca14
--- /dev/null
+++ b/jstests/libs/ocsp/server_signed_by_intermediate_ca_ocsp.pem
@@ -0,0 +1,53 @@
+-----BEGIN CERTIFICATE-----
+MIIELzCCAxegAwIBAgIEd1zJgjANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwYSW50ZXJt
+ZWRpYXRlIENBIGZvciBPQ1NQMB4XDTIxMDMwOTE4MDE0NVoXDTQxMDMxMTE4MDE0
+NVowgYIxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwN
+TmV3IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVs
+MSUwIwYDVQQDDBxTZXJ2ZXIgT0NTUCBWaWEgSW50ZXJtZWRpYXRlMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxtTLSb8bXzIg1CAgzzjG2/m5GIson1h4
+/A1ajETjZ9dpAOx2rZQ/9KCVXSJDGTqJs4cB0Nsif4NUmnmy5vfI4pPFtIkDZrPJ
+ZBP9GGSE6DFbGnA+/8/aZJQbHmzKVC8XaiObI/ta1o590YL0kEsOSfJGNluGJP3i
+O1ZFCiZWGTikQcHpd/w1ESV5q6gqOyKc3eK36k2q+I9EHXw1upDI/x+p0oawsvz6
+oJSqiQQtl88OiDxP5hwgF0EDOFSWb1nrCX3VpZd4HLAU64NCkml+dPcwcbYdnS+h
+ieeyRD3zXTFKYXNIDRhw4Aes9nC9e3fSw2fVx61DSQzTP7BUs3K+YQIDAQABo4Gv
+MIGsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAdBgNVHQ4EFgQUg+27wcaFAnJpnN0/eotQun72AycwOAYIKwYB
+BQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vbG9jYWxob3N0OjgxMDAvc3Rh
+dHVzMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAQpSUJQXV+p+9FuOPEyF6xL/GRpoeqImRCwPr6lKInq1JxL7egxtguBch7hzg
+kkk4JADfXfl2bnyZEExN9oAYNeaZoPxW9dM755xuDfPXT1xgknNg06MTPytkCzAL
+U5PXfcIMnIOktNtA/CntaP3NNh8P+B5KwLhTcPbGAsGW9noMVKrgRgDaDm0F+lpE
+jvwOqM1UhxB5YeVzfTmGynqCMBDI6QE0z4xysIhIg8NUm75cPIjPpSfWDzc9wBu8
+NnL48Bh9uMkFe9UZUTE82bvCa9Xco8/isPy1909kDdWpQzckkCEqSffkzVlbvAqk
+M+4fGvEtyzoRpDDbCuWrvZ1Xgg==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDG1MtJvxtfMiDU
+ICDPOMbb+bkYiyifWHj8DVqMRONn12kA7HatlD/0oJVdIkMZOomzhwHQ2yJ/g1Sa
+ebLm98jik8W0iQNms8lkE/0YZIToMVsacD7/z9pklBsebMpULxdqI5sj+1rWjn3R
+gvSQSw5J8kY2W4Yk/eI7VkUKJlYZOKRBwel3/DURJXmrqCo7Ipzd4rfqTar4j0Qd
+fDW6kMj/H6nShrCy/PqglKqJBC2Xzw6IPE/mHCAXQQM4VJZvWesJfdWll3gcsBTr
+g0KSaX509zBxth2dL6GJ57JEPfNdMUphc0gNGHDgB6z2cL17d9LDZ9XHrUNJDNM/
+sFSzcr5hAgMBAAECggEBAJLo0ZeYu7m3ySfS4UsbMVuBhTDMSWSLM0FRAJFZqQil
+0bDcBsg0HJk8OYBJ+3fdl7btTvspnrDGsbE9sGEVvfkjpFXDUp8Ewg3O8xed1dHV
+/fFn9DSBOGVORUdSrKBM9yj2S//nDXQwbmhqMReYTWN3vkcVkuUsLYcYNATO1Jjm
+wnIMLo5Ks6YTXP1XFL68T4aYHB1Pw4TpEPt5EaHCp8NUb8jgVMIi82LZGMQFTsGw
+wiJ+47lkC1eG/rW9jC6LxRnVjQzZEMXMSxt0u1DewkrY0gjhCZ45zxAQs6y/pwkg
+1VugHsN1mZgtmDP+fwwRJoIOkcW6imvWirNd6QEqVNECgYEA6IGqlRojAIpggZ/b
+MzCjYnB3ovoLhPBZbRrZf9qKBRlHjohel64EGXGBRvO/oLoLGgV86dgxdjpam8g1
+x0a1a57mE8nepV/KsLuaBeXC0Xtmjj5mkLqcqpJePLvpvDpkhqi+Ma8vye1YRDJ3
++D2h/OBEvDcVQUOR7TkOmhShpQUCgYEA2uwJWSSv036mHtTKrOaSwY6dnTEIP8D5
+P8OngqBV45+oAzJCi0C+4vYXuIu0I4RwGl4lu6Uv/sv0R88MOgpVe+GzHz8bWq/t
+ZV9pz9Pnnf/l3KA2RZN4uEROl7Qjc5tcBavU5Ulz1KcvJ/Z46meFLYpV07sLcBg+
+MCF0Fijycq0CgYAl0noSWTcabmg2je+VizL433zGuVBIZuTVN8nr33wWSj92sz5Y
+BEnMbcdu6FXi6oDF0eC5FZ8uMV3t+4qsCReYEzgwPeWHF2ccitgKX47qjt1nBEWh
+A4pawQatcJAcO4+AzFBsOqhWe9Kg/WjArB3+yejEiV1eyYQih+aVMAf/lQKBgFU0
+VrMWP0R+X2NSiItgti+VNSzv33kIvzmdCb4ibytHgVm1HwcZrPGivDq8TOEh84uf
+punwccymTq4AHI8eZITxpAh+REQ4gpnY19Lmc5gf97O1u0m7CtoU483Rc5bUGa2v
+Yg3XV7ilVQoluIvqvH+r/pmIi/wVw2ZyLr9NMoeFAoGAT1fUe5aUUsp7tDubEdLo
+CnI9VrMBMM5pgzXLt1nnLUNAvNF260XOTkDb/1H1Q5op7LM13EK0sTnh37hXPEhq
+dZmln20VKN5jzhAbJC6JTT8of3cOXIS3McAkf291rC4EMEuDSAev95GSdhHzGF5s
+e+wYduYG/HT4/5UyP3Cs8yA=
+-----END PRIVATE KEY-----
diff --git a/jstests/libs/ocsp_server_intermediate_appended.pem b/jstests/libs/ocsp_server_intermediate_appended.pem
new file mode 100644
index 00000000000..317bb9ecb14
--- /dev/null
+++ b/jstests/libs/ocsp_server_intermediate_appended.pem
@@ -0,0 +1,26 @@
+
+-----BEGIN CERTIFICATE-----
+MIIELzCCAxegAwIBAgIEc3NuKDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwYSW50ZXJt
+ZWRpYXRlIENBIGZvciBPQ1NQMB4XDTIwMDQyMTE5MTQ1MloXDTQwMDQyMzE5MTQ1
+MlowgYIxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwN
+TmV3IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVs
+MSUwIwYDVQQDDBxTZXJ2ZXIgT0NTUCBWaWEgSW50ZXJtZWRpYXRlMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8o7m7QpIMUZ2r6HOmhuqNF25x0odb9Bg
+rSLm7Hvb3WBu6jwWPrrnPerR/nODVEY4Qo7mOclgCsooJx3HaPYPgRYffRQMJ+I5
+lpvsRsBjW7CnS0amz9QcbGnIhMeFU45gCn51CTLPoBJ7hB9F4Z02bOJEMkkXkhtm
+kkiVysUs6po+t2+w8tojOScZdeDUtwfStKJ7Xb9B79Ko3BCcITXJUxDBcqUEJF+E
+v3YQuQg/QKNTO+L39aFFo8WNfuP09txdjT/+T8PZq826ccohRdSrJ5lq1hXmmKXp
+3p6Ut35aE4tjj6KSjDonMkYcvdNHQ0aL2p8x4JjwgwAuNwawTUbYIwIDAQABo4Gv
+MIGsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAdBgNVHQ4EFgQUyC6Gv0rfoato44VsaVig1SmminYwOAYIKwYB
+BQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vbG9jYWxob3N0OjgxMDAvc3Rh
+dHVzMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAogdunlFL04lqVbZyqPvN/5TtrEtM87invrzTYZ8UmT5Q4Kr8mHRsumBuVwDu
+bE+umrPtQVvu0XYqsjmjmOk7hTIK6PFuF6rLQCUBHVXBZggTNKFFBWphQ8odUbPG
+FmOqSlkZAkcNo3dLpxRbfDru2ARxeE2+sRCPWwUZc7utqpLoZ0deuKdDSlA/VcGJ
+5wf0sjmcjvJRRUSYeJcUox4ySL+4WtFu33LhYZKgnrMNegaJ6UyIlwB4ihMyi9sV
+yDlsY+vGqivqqMUw8V6tdUekCYPUlHWXeICqsRIBII+xMzqTv1rXPzNyAvyVYrBi
+hG10rdLfnQWn2vpYKU5b3Vo1yg==
+-----END CERTIFICATE-----
diff --git a/jstests/ocsp/lib/mock_ocsp.js b/jstests/ocsp/lib/mock_ocsp.js
index 2827ece5e4c..1896b2943c0 100644
--- a/jstests/ocsp/lib/mock_ocsp.js
+++ b/jstests/ocsp/lib/mock_ocsp.js
@@ -28,8 +28,9 @@ class ResponderCertSet {
const OCSP_DELEGATE_RESPONDER =
new ResponderCertSet(OCSP_CA_PEM, OCSP_RESPONDER_CERT, OCSP_RESPONDER_KEY);
const OCSP_CA_RESPONDER = new ResponderCertSet(OCSP_CA_PEM, OCSP_CA_CERT, OCSP_CA_KEY);
-const OCSP_INTERMEDIATE_RESPONDER = new ResponderCertSet(
- OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_KEY);
+const OCSP_INTERMEDIATE_RESPONDER = new ResponderCertSet(OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM,
+ OCSP_INTERMEDIATE_CA_ONLY_CERT,
+ OCSP_INTERMEDIATE_CA_ONLY_KEY);
class MockOCSPServer {
/**
diff --git a/jstests/ocsp/lib/ocsp_helpers.js b/jstests/ocsp/lib/ocsp_helpers.js
index 6725a0ae62b..150fa7b4442 100644
--- a/jstests/ocsp/lib/ocsp_helpers.js
+++ b/jstests/ocsp/lib/ocsp_helpers.js
@@ -13,10 +13,13 @@ const OCSP_SERVER_MUSTSTAPLE_CERT = "jstests/libs/ocsp/server_ocsp_mustStaple.pe
const OCSP_SERVER_CERT_REVOKED = "jstests/libs/ocsp/server_ocsp_revoked.pem";
const OCSP_RESPONDER_CERT = "jstests/libs/ocsp/ocsp_responder.crt";
const OCSP_RESPONDER_KEY = "jstests/libs/ocsp/ocsp_responder.key";
-const OCSP_INTERMEDIATE_CA_PEM = "jstests/libs/ocsp/intermediate_ca_ocsp.pem";
-const OCSP_INTERMEDIATE_CA_CERT = "jstests/libs/ocsp/intermediate_ca_ocsp.crt";
-const OCSP_INTERMEDIATE_CA_KEY = "jstests/libs/ocsp/intermediate_ca_ocsp.key";
-const OCSP_SERVER_INTERMEDIATE_CA_CERT = "jstests/libs/ocsp/server_intermediate_ca_ocsp.pem";
+const OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM = "jstests/libs/ocsp/intermediate_ca_with_root_ocsp.pem";
+const OCSP_INTERMEDIATE_CA_ONLY_CERT = "jstests/libs/ocsp/intermediate_ca_only_ocsp.crt";
+const OCSP_INTERMEDIATE_CA_ONLY_KEY = "jstests/libs/ocsp/intermediate_ca_only_ocsp.key";
+const OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM =
+ "jstests/libs/ocsp/server_signed_by_intermediate_ca_ocsp.pem";
+const OCSP_SERVER_AND_INTERMEDIATE_APPENDED_PEM =
+ "jstests/libs/ocsp/server_and_intermediate_ca_appended_ocsp.pem";
var clearOCSPCache = function() {
let provider = determineSSLProvider();
diff --git a/jstests/ocsp/ocsp_basic_ca_responder.js b/jstests/ocsp/ocsp_basic_ca_responder.js
index f3a7ca3d9fe..8a250ba914d 100644
--- a/jstests/ocsp/ocsp_basic_ca_responder.js
+++ b/jstests/ocsp/ocsp_basic_ca_responder.js
@@ -53,10 +53,12 @@ function test(serverCert, caCert, responderCertPair) {
test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_CA_RESPONDER);
-// TODO: SERVER-47963 - remove this platform check.
if (determineSSLProvider() === "windows") {
return;
}
-test(OCSP_SERVER_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_RESPONDER);
+test(OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM,
+ OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM,
+ OCSP_INTERMEDIATE_RESPONDER);
+test(OCSP_SERVER_AND_INTERMEDIATE_APPENDED_PEM, OCSP_CA_PEM, OCSP_INTERMEDIATE_RESPONDER);
}()); \ No newline at end of file
diff --git a/jstests/ocsp/ocsp_stapling.js b/jstests/ocsp/ocsp_stapling.js
index 69ac0866a02..e2735f758d9 100644
--- a/jstests/ocsp/ocsp_stapling.js
+++ b/jstests/ocsp/ocsp_stapling.js
@@ -1,4 +1,4 @@
-// Check that OCSP verification works
+// Check that OCSP stapling works
// @tags: [requires_http_client, requires_ocsp_stapling]
load("jstests/ocsp/lib/mock_ocsp.js");
@@ -85,5 +85,8 @@ function test(serverCert, caCert, responderCertPair) {
test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_DELEGATE_RESPONDER);
test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_CA_RESPONDER);
-test(OCSP_SERVER_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_RESPONDER);
+test(OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM,
+ OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM,
+ OCSP_INTERMEDIATE_RESPONDER);
+test(OCSP_SERVER_AND_INTERMEDIATE_APPENDED_PEM, OCSP_CA_PEM, OCSP_INTERMEDIATE_RESPONDER);
}());
diff --git a/jstests/ocsp/ocsp_unable_to_staple_log.js b/jstests/ocsp/ocsp_unable_to_staple_log.js
new file mode 100644
index 00000000000..f09d892ae80
--- /dev/null
+++ b/jstests/ocsp/ocsp_unable_to_staple_log.js
@@ -0,0 +1,35 @@
+// Check that log messages for OCSP stapling work
+// @tags: [requires_http_client, requires_ocsp_stapling]
+
+load("jstests/ocsp/lib/mock_ocsp.js");
+
+(function() {
+"use strict";
+
+if (!supportsStapling()) {
+ return;
+}
+
+const logPath = MongoRunner.dataPath + "mongod.log";
+
+const ocsp_options = {
+ logpath: logPath,
+ sslMode: "requireSSL",
+ sslPEMKeyFile: OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM,
+ sslCAFile: OCSP_CA_PEM,
+ sslAllowInvalidHostnames: "",
+ waitForConnect: false,
+};
+
+// Because waitForConnect is off, we need to wait for the process to create the
+// mongod logfile, hence the sleep.
+const conn = MongoRunner.runMongod(ocsp_options);
+sleep(5000);
+
+const failedToStapleID = 5512202;
+assert.soon(() => {
+ return cat(logPath).trim().split("\n").some((line) => JSON.parse(line).id === failedToStapleID);
+});
+
+MongoRunner.stopMongod(conn);
+})(); \ No newline at end of file
diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml
index ba303ffb5c6..b567c228939 100644
--- a/jstests/ssl/x509/certs.yml
+++ b/jstests/ssl/x509/certs.yml
@@ -428,27 +428,49 @@ certs:
extendedKeyUsage: [clientAuth]
# Intermediate OCSP tree
-- name: 'intermediate_ca_ocsp.pem'
+- name: 'intermediate_ca_only_ocsp.pem'
description: CA issued by the primary OCSP CA, which then issues its own server OCSP cert.
Subject: {CN: 'Intermediate CA for OCSP'}
Issuer: 'ca_ocsp.pem'
include_header: false
- append_cert: 'ca_ocsp.pem'
output_path: 'jstests/libs/ocsp/'
- keyfile: 'intermediate_ca_ocsp.key'
- crtfile: 'intermediate_ca_ocsp.crt'
+ keyfile: 'intermediate_ca_only_ocsp.key'
+ crtfile: 'intermediate_ca_only_ocsp.crt'
extensions:
subjectKeyIdentifier: hash
basicConstraints:
critical: true
CA: true
-- name: 'server_intermediate_ca_ocsp.pem'
+- name: 'intermediate_ca_with_root_ocsp.pem'
+ description: OCSP CA and OCSP Intermediate appended together
+ output_path: 'jstests/libs/ocsp/'
+ include_header: false
+ append_cert: ['intermediate_ca_only_ocsp.pem', 'ca_ocsp.pem']
+
+- name: 'server_signed_by_intermediate_ca_ocsp.pem'
+ description: Server OCSP certificate signed by intermediate CA.
+ Subject: {CN: 'Server OCSP Via Intermediate'}
+ Issuer: 'intermediate_ca_only_ocsp.pem'
+ include_header: false
+ output_path: 'jstests/libs/ocsp/'
+ extensions:
+ basicConstraints: {CA: false}
+ subjectAltName:
+ DNS: localhost
+ IP: 127.0.0.1
+ authorityInfoAccess: 'OCSP;URI:http://localhost:8100/status'
+ subjectKeyIdentifier: hash
+ keyUsage: [digitalSignature, keyEncipherment]
+ extendedKeyUsage: [serverAuth, clientAuth]
+
+- name: 'server_and_intermediate_ca_appended_ocsp.pem'
description: Server OCSP certificate signed by intermediate CA.
Subject: {CN: 'Server OCSP Via Intermediate'}
- Issuer: 'intermediate_ca_ocsp.pem'
+ Issuer: 'intermediate_ca_only_ocsp.pem'
include_header: false
output_path: 'jstests/libs/ocsp/'
+ append_cert: 'intermediate_ca_only_ocsp.pem'
extensions:
basicConstraints: {CA: false}
subjectAltName:
diff --git a/jstests/ssl/x509/mkcert.py b/jstests/ssl/x509/mkcert.py
index 10dcda73afd..150be632ac5 100755
--- a/jstests/ssl/x509/mkcert.py
+++ b/jstests/ssl/x509/mkcert.py
@@ -777,7 +777,7 @@ def main():
global CONFIG
items_to_process = parse_command_line()
- CONFIG = yaml.load(open(CONFIGFILE, 'r'))
+ CONFIG = yaml.load(open(CONFIGFILE, 'r'), Loader=yaml.FullLoader)
validate_config()
items = select_items(items_to_process)
items = sort_items(items)
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 5f4a50bba83..9e09884315b 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -1872,6 +1872,11 @@ Status OCSPFetcher::start(SSL_CTX* context, bool asyncOCSPStaple) {
fetchAndStaple(promisePtr)
.getAsync([this, sm = _manager->shared_from_this()](
StatusWith<Milliseconds> swDurationInitial) mutable {
+ if (!swDurationInitial.isOK()) {
+ LOGV2_WARNING(5512202,
+ "Server was unable to staple OCSP Response",
+ "reason"_attr = swDurationInitial.getStatus());
+ }
startPeriodicJob(swDurationInitial);
});
@@ -1922,6 +1927,12 @@ void OCSPFetcher::startPeriodicJob(StatusWith<Milliseconds> swDurationInitial) {
void OCSPFetcher::doPeriodicJob() {
fetchAndStaple(nullptr).getAsync(
[this, sm = _manager->shared_from_this()](StatusWith<Milliseconds> swDuration) {
+ if (!swDuration.isOK()) {
+ LOGV2_WARNING(5512201,
+ "Server was unable to staple OCSP Response",
+ "reason"_attr = swDuration.getStatus());
+ }
+
stdx::lock_guard<Latch> lock(this->_staplingMutex);
if (_shutdown) {
@@ -1931,6 +1942,15 @@ void OCSPFetcher::doPeriodicJob() {
this->_ocspStaplingAnchor.setPeriod(getPeriodForStapleJob(swDuration));
});
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+void sslContextGetOtherCerts(SSL_CTX* ctx, STACK_OF(X509) * *sk) {
+ SSL_CTX_get_extra_chain_certs(ctx, sk);
+}
+#else
+void sslContextGetOtherCerts(SSL_CTX* ctx, STACK_OF(X509) * *sk) {
+ SSL_CTX_get0_chain_certs(ctx, sk);
+}
+#endif
Future<Milliseconds> OCSPFetcher::fetchAndStaple(Promise<void>* promise) {
// Generate a new verified X509StoreContext to get our own certificate chain
@@ -1944,6 +1964,10 @@ Future<Milliseconds> OCSPFetcher::fetchAndStaple(Promise<void>* promise) {
}
X509_STORE_CTX_set_cert(storeCtx.get(), _cert);
+ STACK_OF(X509) * sk;
+
+ sslContextGetOtherCerts(_context, &sk);
+ X509_STORE_CTX_set_chain(storeCtx.get(), sk);
if (X509_verify_cert(storeCtx.get()) <= 0) {
return getSSLFailure("Could not verify X509 certificate store for OCSP Stapling.");
View Lorry Controller Status