summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--jstests/libs/ocsp/ca_ocsp.crt21
-rw-r--r--jstests/libs/ocsp/ca_ocsp.key28
-rw-r--r--jstests/libs/ocsp/ca_ocsp.pem82
-rw-r--r--jstests/libs/ocsp/client_ocsp.pem84
-rw-r--r--jstests/libs/ocsp/ocsp_responder.crt28
-rw-r--r--jstests/libs/ocsp/ocsp_responder.key52
-rw-r--r--jstests/libs/ocsp/ocsp_responder.pem49
-rw-r--r--jstests/libs/ocsp/server_ocsp.pem82
-rw-r--r--jstests/libs/ocsp/server_ocsp_mustStaple.pem82
-rw-r--r--jstests/libs/ocsp/server_ocsp_revoked.pem82
-rw-r--r--jstests/ocsp/lib/mock_ocsp.js15
-rw-r--r--jstests/ocsp/lib/ocsp_helpers.js6
-rw-r--r--jstests/ocsp/ocsp_basic.js2
-rw-r--r--jstests/ocsp/ocsp_basic_ca_responder.js52
-rw-r--r--jstests/ocsp/ocsp_connection_type_testing.js2
-rw-r--r--jstests/ocsp/ocsp_must_staple.js2
-rw-r--r--jstests/ocsp/ocsp_server_refresh.js2
-rw-r--r--jstests/ocsp/ocsp_stapling.js129
-rw-r--r--jstests/ssl/x509/certs.yml5
-rwxr-xr-xjstests/ssl/x509/mkcert.py26
-rw-r--r--src/mongo/util/net/ssl_manager_openssl.cpp55
21 files changed, 540 insertions, 346 deletions
diff --git a/jstests/libs/ocsp/ca_ocsp.crt b/jstests/libs/ocsp/ca_ocsp.crt
new file mode 100644
index 00000000000..1e662e24511
--- /dev/null
+++ b/jstests/libs/ocsp/ca_ocsp.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeTCCAmGgAwIBAgIEBdhiWzANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
+IFRlc3QgQ0EwHhcNMjAwMzIzMjIxMzA5WhcNNDAwMzI1MjIxMzA5WjB0MQswCQYD
+VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
+dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwO
+S2VybmVsIFRlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg
+H42hLFFnWFETIDs4Q3rjzJLB4mxqn7BiFDbhzivKGN8SMrIaoyg8CkNJWpJVYEBN
+BjaQHMzivBiQEjDbx2bWz7+rMjont9zJbNmMMuEZcqQw42SBlQ/xXBnIbvICGoXy
+7EkEH/kYzX7NjUhAHOJUdfyTW0okChPxOQr8CI07HVYmeelBZh6FPnzdQ5mgsbmk
+vsdesE1gvcfFtm/7Q6+GXp+1GDVGRUmPmHTYPIkjouJWQM++WU2KofSe5k9Rn1Oz
+ZE3jJAaB9gGA83/xcLkVLBe4dyE5foVbbXL7t37yB8R06/7ffV62B7sn0M5X/rfA
+UY5sJ6WOWdQz8k+WjXlXAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAAsY/vktUSwXC1MCC8cYtcrlI0EgGcvkcRxEjRv7t5YVZii6
+eqKSfaX5HDxKl8dH7Z95Z3sDqr7iwPFtzmzQHEwvSSKbiqeS9Be0yf6mJv10LC5d
+M9qoMvbp90ob3Jhib5IGzeijcQFfzbZa+MGnWiCGX04U/hUrayMdmna83exKbeNW
+S0LT1F82rG2QklFOFSZSInXsBiR4olRWqXrYpNjP4B5gueQ2+XUlMZdphvkOksCo
+/UBdqKotBFgyYXdMygl4hscxo+O4FRpX6RKVyobJXKax+mzbc9YUKTFtKu6KlZls
+jvqjtuXgmZvXOgduG5D8Sqoqp/q1nYzYpcgEss4=
+-----END CERTIFICATE-----
diff --git a/jstests/libs/ocsp/ca_ocsp.key b/jstests/libs/ocsp/ca_ocsp.key
new file mode 100644
index 00000000000..8429188868b
--- /dev/null
+++ b/jstests/libs/ocsp/ca_ocsp.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCgH42hLFFnWFET
+IDs4Q3rjzJLB4mxqn7BiFDbhzivKGN8SMrIaoyg8CkNJWpJVYEBNBjaQHMzivBiQ
+EjDbx2bWz7+rMjont9zJbNmMMuEZcqQw42SBlQ/xXBnIbvICGoXy7EkEH/kYzX7N
+jUhAHOJUdfyTW0okChPxOQr8CI07HVYmeelBZh6FPnzdQ5mgsbmkvsdesE1gvcfF
+tm/7Q6+GXp+1GDVGRUmPmHTYPIkjouJWQM++WU2KofSe5k9Rn1OzZE3jJAaB9gGA
+83/xcLkVLBe4dyE5foVbbXL7t37yB8R06/7ffV62B7sn0M5X/rfAUY5sJ6WOWdQz
+8k+WjXlXAgMBAAECggEAV8GzT5gIbUlb9c1+Z1GkcmDWNeiwXqdyde56PbtPCI4l
+A8ZBEpRFItLFGdjHxn7f/tbe5JDEQaexFpTBrlJUrHpjo6H9eXMtUD+V416nO9k2
+34xgsxxNBozhnJYhkMGUlBSn19jmHo/RZTp/VJP//yZC7UflFGdpkpUezg6pyLFn
+N/TO0KtRCvBjGTXZhD56D3bf5HRxo9clktXx1fczAzKTCyGn2bWZl4lEBZI2KRWQ
+wjV44kP01OoE41hr1nlhqH04Uya0uUdj/bYz1LhHM+IpEVnzsc10b6sJQN6qcN/y
+VagvH0ZCcquVzjntky7jaWRREjbwrQrgdfACqqZg4QKBgQDTi/BYBnXGzeN4ZxtP
+VlxO63JziIMQhYsaWvtY6G6YodLB8rxkA7lFNZv71PQcAUUqNKugjZFBjTOA79n6
+Aj9RBe0N0/PoeLLuq/H7Pl0yk06lxu7gZI5T1VZCWCSOsx1tbf3p+u6wIMy3C7ya
+K4C7hQ4mCH7nommKeo78HGAyuQKBgQDBxVDFZ/ftneLvhjc1rWsGW2Gvg2ldA0bL
+gjnaMUI+sGQxl9if3zljNVh2HPfcVxFQs2RwlCUX+NI1JynCwE5nrEpp1lGS8GMC
+X9EVjJLVqZVH8+CCxpcACapHD/BPxQydJhKjq/EvEW5xjvzmF8qADpACWbWUOg65
+rLn53hhEjwKBgQDQFu1aiTA9WLWS8Elq51ZxwySYBQZ3sAU+7ZQkxq5TsYqxgWZT
+M16Bd9RyCe39xjoU5C6XBeqGgrDQ+h5+0Msbliqy2XUpjeDk6XpkW9otL73DUEYV
+sJRYXpg1NqLvQ72EsRd9m3pDAmCdBgyF0pkU3DMosl6y143dy+TulbMC8QKBgAgP
+UwrDBlcF6DiaVpWO/xKmnmuUhb9usXUpl4px3hWJdMFzVXlg6Zwszd8r2Ut6+6dl
+rtnX76sNmIDJfj0xjpFVY0r/tSjtgtDId4Pz8u+cPC9f/4ixBfrkbAbErPREd//Z
+Y5EXR9LzYKqsjexsNOoasPbIEHt35sDmZF32VQAVAoGBANDrKzBqlD4EtTRdJi5O
+x42orwmk2vx1WwWTIs3QmkdFVrfcY+K8sBGByJ0EwyNCUt4HQxqAP6kIIsoA0WH0
+/dO6bPPjTOcZq89RTP4XDVcikwWpclin4PIlY7xC5RNx2sRrtexfwbBoP/Zcwje5
+8UCDml84kMEUd5F6QA/sOB2o
+-----END PRIVATE KEY-----
diff --git a/jstests/libs/ocsp/ca_ocsp.pem b/jstests/libs/ocsp/ca_ocsp.pem
index 3b3aaf96b11..8a9ff3759e0 100644
--- a/jstests/libs/ocsp/ca_ocsp.pem
+++ b/jstests/libs/ocsp/ca_ocsp.pem
@@ -1,49 +1,49 @@
-----BEGIN CERTIFICATE-----
-MIIDeTCCAmGgAwIBAgIEEarQezANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+MIIDeTCCAmGgAwIBAgIEBdhiWzANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
-IFRlc3QgQ0EwHhcNMjAwMjI0MjEwMDE4WhcNNDAwMjI2MjEwMDE4WjB0MQswCQYD
+IFRlc3QgQ0EwHhcNMjAwMzIzMjIxMzA5WhcNNDAwMzI1MjIxMzA5WjB0MQswCQYD
VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwO
-S2VybmVsIFRlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK
-ny8ZLTuFeyAkCqRQuuPKqOO4acNSdzoSFCw2WOQAUgvss2A4fYKGy1vG1+Z892DF
-tPoT81Cc6SFdJJs4AyAnqtkPH38IS5oHobnTc6xbFHEEqYoXDJuQyBiftXxW4EA9
-tYtIlCFvijb6+6CDquYR0Nrl/PN/7VUlfQdKvA4kKNIn+mXDgVRBkVc75B4T2CHi
-Sgga/COa5o4MGaLVKqQva4gOA7aJEZdxT0M/gWORbdv/KP+mhbtaI+sCfBbhIMv/
-9XAi2JgoigSMHKcvkTx+qkF/lpr2BYwBDH/xXu8Ft31WVRuBVAnVcO9oHDIZpbi7
-Hv8tfA1bK3i4FOYQ3aXdAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAHTQY+AUPefoJhgRmOo5boq6w0TNK9pGNmgp97FSYY/bkS9F
-t4tKZtFvppjTWGID+1P1lsTmJPStGh+e0aM9O7CgEBMo2ykVNLrLbBvxGQU+PeNh
-9pRWacrVTNj/XHYvyzOdahgxd3I+2XYdGsT7iX+Jz3SHY02d9AKB9PFBxYXEqUWS
-GpV4EqR1/WscJ80AgCRGQy0XgJ3bblkUlRhN4kIoVtI2psyclcIVfevLr6Y/wFs+
-3P//DvrnvSdujC8ORTqgh4bJ876qqGQCoxHJ5gVS2pVpDudHDCJZ9IItapHF4K0Z
-BYKSBKfuhayhhiEtUdu5D4bqwJ5Se5SzTp+G4co=
+S2VybmVsIFRlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg
+H42hLFFnWFETIDs4Q3rjzJLB4mxqn7BiFDbhzivKGN8SMrIaoyg8CkNJWpJVYEBN
+BjaQHMzivBiQEjDbx2bWz7+rMjont9zJbNmMMuEZcqQw42SBlQ/xXBnIbvICGoXy
+7EkEH/kYzX7NjUhAHOJUdfyTW0okChPxOQr8CI07HVYmeelBZh6FPnzdQ5mgsbmk
+vsdesE1gvcfFtm/7Q6+GXp+1GDVGRUmPmHTYPIkjouJWQM++WU2KofSe5k9Rn1Oz
+ZE3jJAaB9gGA83/xcLkVLBe4dyE5foVbbXL7t37yB8R06/7ffV62B7sn0M5X/rfA
+UY5sJ6WOWdQz8k+WjXlXAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAAsY/vktUSwXC1MCC8cYtcrlI0EgGcvkcRxEjRv7t5YVZii6
+eqKSfaX5HDxKl8dH7Z95Z3sDqr7iwPFtzmzQHEwvSSKbiqeS9Be0yf6mJv10LC5d
+M9qoMvbp90ob3Jhib5IGzeijcQFfzbZa+MGnWiCGX04U/hUrayMdmna83exKbeNW
+S0LT1F82rG2QklFOFSZSInXsBiR4olRWqXrYpNjP4B5gueQ2+XUlMZdphvkOksCo
+/UBdqKotBFgyYXdMygl4hscxo+O4FRpX6RKVyobJXKax+mzbc9YUKTFtKu6KlZls
+jvqjtuXgmZvXOgduG5D8Sqoqp/q1nYzYpcgEss4=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKny8ZLTuFeyAk
-CqRQuuPKqOO4acNSdzoSFCw2WOQAUgvss2A4fYKGy1vG1+Z892DFtPoT81Cc6SFd
-JJs4AyAnqtkPH38IS5oHobnTc6xbFHEEqYoXDJuQyBiftXxW4EA9tYtIlCFvijb6
-+6CDquYR0Nrl/PN/7VUlfQdKvA4kKNIn+mXDgVRBkVc75B4T2CHiSgga/COa5o4M
-GaLVKqQva4gOA7aJEZdxT0M/gWORbdv/KP+mhbtaI+sCfBbhIMv/9XAi2JgoigSM
-HKcvkTx+qkF/lpr2BYwBDH/xXu8Ft31WVRuBVAnVcO9oHDIZpbi7Hv8tfA1bK3i4
-FOYQ3aXdAgMBAAECggEAG08jKPCIwi/bICBzDxJxW0IyFwviMH4zTHZ9kwGeEVD9
-nHR8toBsFEDaaM12mkc5OsxunDvCFLPzNDuX1A/PyKjlQn2LQJH3+6lXg2FmzIvP
-w8IaA4tGeFgPwY7TaF4nKmoKkMiuTPtC98bsVnK1OZd9uVvDce2J+ViFoBQCj+rW
-2LUvY/GLOS3K2idMBdeYfSCWzkM9Hh7XeZYwcRDYexuhDXyuEt18I6adt5iOTJ2+
-T4y0nWyhACxXV1vXrMvHlH9QDic2nfdRVpMr7azqjpWwN7o45vEFzA//dWuaV8CE
-n7V68m8RoPaSU7b+4f6nbadM2S17iv3LzxFu9QzZAQKBgQD8YwE1zdaAlswDH5aJ
-McdKXcEMTtvGNQ988mfZVmQkEBFo/hAcGCgnlByVVYsOoHApk2fNiHVQ6zefuAzN
-kNEmb9J32SoGDTOchyXHooaEuxWFU3d+o0vncKH3a8oPkiDVuvrTxIrfQpiWRPTW
-2zu/iFkC1QfZp2Ig4yC4Z6K1HQKBgQDNhcqNVi4VHfIa7iFKp9KUFYfpxlQlIgXb
-GBTKIBxyJ4WXC5yrWdNpDJ625Gsw8MIGUOM+v/sSkJ6T7c1cmO1qQeNAPLgVZB0g
-7dnKG8ipHQrBo1ALGltfCIZBEYjwZVVRYM44FuuJk5BZEjCVnUHZinPV5rfTWgTK
-mvt7LKuXwQKBgBd53hLzIpCzdiaUOZxpVPBF6D8M1sSJCvfEVISS1J3GINhzSWxT
-kuibjk0Vt+mUYtp7K5yipMbyGipxJD+6yLmajSk4uf/2Gmbk6062f2y5Ojc8nFDb
-P6Q3hdlN3W21WfiHe+1WytQZjbfskhmqKtSWCjGJP0GvoCEO/2wnt6rBAoGBAMEl
-GSQWd5xU1jBE1niomxeb3GzwfCehf8tVKESERPdq+ProaMYH1syElavfonUN7emt
-nsJb/YKG8uCmvTZmachQP1chOQaxXUaTAPgVgFCeAHvWFOU6UeBPzIveBMmXEcU2
-qta/g395dFCg7ZPNhBMDMLU27E7t7E7Ts78gTeqBAoGAVTyzBkyGlMu17pJQQclG
-dONRXlc2+MjSJ2cgrv0OEz12K+5FKuHBBtSJRh2dshNlKUOFVtd+Zi+g2qNoHWII
-q05oq2A1URPubFZMhrOEadB2465wX6up45WY2V7QMKDlma3mxYYec0xwUkFt9vXF
-Ji9EQRq6WkhDG7zqENmF4oI=
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCgH42hLFFnWFET
+IDs4Q3rjzJLB4mxqn7BiFDbhzivKGN8SMrIaoyg8CkNJWpJVYEBNBjaQHMzivBiQ
+EjDbx2bWz7+rMjont9zJbNmMMuEZcqQw42SBlQ/xXBnIbvICGoXy7EkEH/kYzX7N
+jUhAHOJUdfyTW0okChPxOQr8CI07HVYmeelBZh6FPnzdQ5mgsbmkvsdesE1gvcfF
+tm/7Q6+GXp+1GDVGRUmPmHTYPIkjouJWQM++WU2KofSe5k9Rn1OzZE3jJAaB9gGA
+83/xcLkVLBe4dyE5foVbbXL7t37yB8R06/7ffV62B7sn0M5X/rfAUY5sJ6WOWdQz
+8k+WjXlXAgMBAAECggEAV8GzT5gIbUlb9c1+Z1GkcmDWNeiwXqdyde56PbtPCI4l
+A8ZBEpRFItLFGdjHxn7f/tbe5JDEQaexFpTBrlJUrHpjo6H9eXMtUD+V416nO9k2
+34xgsxxNBozhnJYhkMGUlBSn19jmHo/RZTp/VJP//yZC7UflFGdpkpUezg6pyLFn
+N/TO0KtRCvBjGTXZhD56D3bf5HRxo9clktXx1fczAzKTCyGn2bWZl4lEBZI2KRWQ
+wjV44kP01OoE41hr1nlhqH04Uya0uUdj/bYz1LhHM+IpEVnzsc10b6sJQN6qcN/y
+VagvH0ZCcquVzjntky7jaWRREjbwrQrgdfACqqZg4QKBgQDTi/BYBnXGzeN4ZxtP
+VlxO63JziIMQhYsaWvtY6G6YodLB8rxkA7lFNZv71PQcAUUqNKugjZFBjTOA79n6
+Aj9RBe0N0/PoeLLuq/H7Pl0yk06lxu7gZI5T1VZCWCSOsx1tbf3p+u6wIMy3C7ya
+K4C7hQ4mCH7nommKeo78HGAyuQKBgQDBxVDFZ/ftneLvhjc1rWsGW2Gvg2ldA0bL
+gjnaMUI+sGQxl9if3zljNVh2HPfcVxFQs2RwlCUX+NI1JynCwE5nrEpp1lGS8GMC
+X9EVjJLVqZVH8+CCxpcACapHD/BPxQydJhKjq/EvEW5xjvzmF8qADpACWbWUOg65
+rLn53hhEjwKBgQDQFu1aiTA9WLWS8Elq51ZxwySYBQZ3sAU+7ZQkxq5TsYqxgWZT
+M16Bd9RyCe39xjoU5C6XBeqGgrDQ+h5+0Msbliqy2XUpjeDk6XpkW9otL73DUEYV
+sJRYXpg1NqLvQ72EsRd9m3pDAmCdBgyF0pkU3DMosl6y143dy+TulbMC8QKBgAgP
+UwrDBlcF6DiaVpWO/xKmnmuUhb9usXUpl4px3hWJdMFzVXlg6Zwszd8r2Ut6+6dl
+rtnX76sNmIDJfj0xjpFVY0r/tSjtgtDId4Pz8u+cPC9f/4ixBfrkbAbErPREd//Z
+Y5EXR9LzYKqsjexsNOoasPbIEHt35sDmZF32VQAVAoGBANDrKzBqlD4EtTRdJi5O
+x42orwmk2vx1WwWTIs3QmkdFVrfcY+K8sBGByJ0EwyNCUt4HQxqAP6kIIsoA0WH0
+/dO6bPPjTOcZq89RTP4XDVcikwWpclin4PIlY7xC5RNx2sRrtexfwbBoP/Zcwje5
+8UCDml84kMEUd5F6QA/sOB2o
-----END PRIVATE KEY-----
diff --git a/jstests/libs/ocsp/client_ocsp.pem b/jstests/libs/ocsp/client_ocsp.pem
index 5f20933a922..3640a231c1b 100644
--- a/jstests/libs/ocsp/client_ocsp.pem
+++ b/jstests/libs/ocsp/client_ocsp.pem
@@ -1,52 +1,52 @@
-----BEGIN CERTIFICATE-----
-MIID+jCCAuKgAwIBAgIEJYFSpjANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+MIID+jCCAuKgAwIBAgIEOLVgbTANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
-IFRlc3QgQ0EwHhcNMjAwMjI0MjEwMDE4WhcNNDAwMjI2MjEwMDE4WjBiMRAwDgYD
+IFRlc3QgQ0EwHhcNMjAwMzIzMjIxMzA5WhcNNDAwMzI1MjIxMzA5WjBiMRAwDgYD
VQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxEjAQBgNVBAMMCWxvY2FsaG9z
dDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQ8wDQYDVQQHDAZPQ1NQLTIwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzRWOWrx6uo1qpkXuwxuLiQgBJ
-AcitTC/EUScP9pC51D9MJFzZ58mGJuIFiUegELtPw/mDOpkBbeaiZH7Bp5InBXQJ
-MZlWocXaWx6aLMdpqkFQvoTPH0TdsVBm+XziO2ZhdbKl7yytVgOXQKcrkyx4axcB
-RZv1XwS5oRO0DngZnsPlgetyR4ELUuhEkXWnTLsbeXNQvDNA8T1Mqk4FO2JsoFfq
-jbY6OhGPO15PlVEniM6PPHolyApD3xGKh/TUFx0SG/lVTa0Kh8pJqdKQmaLuTNt3
-NgWQyDTStE1im2r0KrKQAGpAmlPyY8uPZNSB5nKlGJb0nzpSfnHXabwLxb3NAgMB
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2tyliJxuteG414D5JycF3DPwC
+RkMsnOEmSFzmhfmLjQaerHw4G+FvK45pHQzl7ae8HWu9iwi0SMsyp3CelXHJDod3
+nR63q4jvuhgU/sY2iycPUZohKqKBmhmIzlvzIUGbs+UgQA/dLVWcDKIduNd7hYbx
+0egOVAgbA7WiWWxrgQ08B3i6ZQ9RJf8SmDljwNgfBxlOJujUrHV5R3RZgVhlug80
+MjrIxzBPaMu3Dnb1qqTovXQTulMmHcsDiArgXD/wDzxaFvYUFl/Yt0liFf6VZ4yN
+ie9kHW5YKYFSdUvE4++Zvj3fpi+vgoR+ljSY/gk6adIqpBdrNmM9BBa0/tclAgMB
AAGjgaUwgaIwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
-BQUHAwIwHQYDVR0OBBYEFIZjr0DUmr3Yg7cDDkbg2ALFauCXMDgGCCsGAQUFBwEB
+BQUHAwIwHQYDVR0OBBYEFOpCnkxAZjTauzQHHdtvraRNqzG7MDgGCCsGAQUFBwEB
BCwwKjAoBggrBgEFBQcwAYYcaHR0cDovL2xvY2FsaG9zdDo4MTAwL3N0YXR1czAa
-BgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAEv5
-CP3Upcm24bKkh+cFOwfz3SLaBDhgTZyI873RYOMCzr+XGZP5/OLHRf2Cx0ipBSuv
-Ua18fu/1GwjWduadRVFiVtQlSHSxSUHjIzuHtH6QH8FMej8m+4lBJ4Oy814oc9w0
-CM1nkvqY02cRgP8XeXnOHpPPXZnYUuBQ2lnhdvaKtnXnIDdaIQ5L4TaaDxFvLkA/
-w5V4/6TxhXuDsZIqvAwWC9VsE8o/S5KtSgtSwfMnpULtH9N/R8mp08c3+GgSMq40
-uiW8iyUEB8Zja+qMKeHLbf328k4zZrDHQyQ7Km0wl90gHbXfNmXUhCTmVTp6Uf4t
-dlfaChEus0f7fevbQVE=
+BgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAEKs
+BwpU72cNtRSfnWHXfZAMT0KQ3lKoUmn32J2v0aPJwqIiFKFcqZamk5H0hflgdHG3
+PDzliSrDnoDNTif0M/f1PTXhi8/lRkpQhBdINExW45L/735qBrngLxyZABcqcDyq
+IYNV/LXySRGRW5ui/BdZLYkjl8UgF5nXtP2/hTyruw1mI2rRKgvmSPKxj2ItOeeU
+WZlmnR4eQTqW4AViuqLjshLwnl8+l0zIxEF/d+lGZoyby+tzbBWbTcFZdVKRzSPS
+U674+MI/DuyNJnnEWYg3LZrno/1/cQ+UJvzZahbVaVSxvMGgLHtNilkrFxHa5R+q
+1bepfbktB+c5a6p8TlU=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDzRWOWrx6uo1qp
-kXuwxuLiQgBJAcitTC/EUScP9pC51D9MJFzZ58mGJuIFiUegELtPw/mDOpkBbeai
-ZH7Bp5InBXQJMZlWocXaWx6aLMdpqkFQvoTPH0TdsVBm+XziO2ZhdbKl7yytVgOX
-QKcrkyx4axcBRZv1XwS5oRO0DngZnsPlgetyR4ELUuhEkXWnTLsbeXNQvDNA8T1M
-qk4FO2JsoFfqjbY6OhGPO15PlVEniM6PPHolyApD3xGKh/TUFx0SG/lVTa0Kh8pJ
-qdKQmaLuTNt3NgWQyDTStE1im2r0KrKQAGpAmlPyY8uPZNSB5nKlGJb0nzpSfnHX
-abwLxb3NAgMBAAECggEBAJCtc8zp2RWDkSfHnghEQCrPldvVc8Ocy8u1d8XGncvm
-rr5Z4d62OuPNvB4OxsorKTsHEh05fEWdVsy9d6U0Q3dxhtDw7oDXNRPnnQuUFgSB
-fNbId7O2pP4ztd2IAv2I1hqgJN8Kn0d3ICuUB9eib5AuIEBhZZ9II0dCxLUQ5dxV
-ptZD5OqvZHkbpLbOKBTTVn2ZF/z/ahY55t06l5e+wtxzKZtgYwz7p9dHcuxFPDTQ
-jcCg8G5UEDKp/WVa7ko7OWdonJ7QP5SmkVqnBWyMYNe+b/WsGaofWYx+iXQ4LQHC
-Cd19Ms6dbuvROo1JD0wm+WVHSbfQrf6zM6mz0QTBsAECgYEA+bpIw5bTQ4o49AHy
-+GR3SjaTj+/bV5RqtGw1h9LJTtX4KicuuIcmn4kTbB+zI5sqgWMXx4xekACHG0iJ
-EObP92xUa2fTSIXsCbErUmNAz8MyNED19g5+yH3ZtQWMhtXU7fAjEmVdjis19ryG
-JWBGDbyyrvBfs9UBNGWW3a8yPlECgYEA+WGW7YqcftCMhFKt1v0VeMUO8Rrx1hEt
-BE+h04c2NeEgXL+FrLExXU1OjWGJot5BR5hKNTs4ubGENF7XP1JP82WpQw34uMSs
-UTEiprjKPAV8i/dunrTGqq1kVFoa3QMfdxIoD3oG+4YFpR9aFSPK0HCXM0Rj2TNJ
-oAon0PV2/L0CgYEAiF2j3EIhDRGOdhgWYHMj/L9+pqu4n8No3Sr1tDxzNvx6bjJF
-Pfh3K8jDdVh+DuRtOogs9Qd+n63aGRjr1/HiAF8EXj4szr5qnQRE/tE6E/moEYaj
-iQBzVPH8DvB/wyVDB8cIr8PwaXDJH/nkWsaOmnO/Mu4JpH6dEMqkrls72XECgYEA
-w8ErLEOGHLWv157e/sejNy3YUMKJ2zOYVq37pYOZtimFschVMf3Vdhvc8XYDCGnW
-bFDKz4YxPPJviHx6EiaWw8SlXRF2j/MyIHmlbaHYfc0Auw37M3FMEWYSP3SLabmt
-1VXXRG7RVFcbz0YQ/E8gQQZgacnhZvmvbYULRCeqwzECgYA+MYIwLwulXrFjj7g7
-jDCKjACwy255QaLWZFrsV8sS2YYP66i0npqeFXHseQTR4FWIV7bsrjiU0JrWktVO
-jbU5ha9wYj0O8hYgT2p1r5y1fsK23wLZe6JSbF1XY7dMgaB29KVAAYcjoguf2Afl
-hVMrSuFYmgjxSvQHwHAo/V3SbQ==
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC2tyliJxuteG41
+4D5JycF3DPwCRkMsnOEmSFzmhfmLjQaerHw4G+FvK45pHQzl7ae8HWu9iwi0SMsy
+p3CelXHJDod3nR63q4jvuhgU/sY2iycPUZohKqKBmhmIzlvzIUGbs+UgQA/dLVWc
+DKIduNd7hYbx0egOVAgbA7WiWWxrgQ08B3i6ZQ9RJf8SmDljwNgfBxlOJujUrHV5
+R3RZgVhlug80MjrIxzBPaMu3Dnb1qqTovXQTulMmHcsDiArgXD/wDzxaFvYUFl/Y
+t0liFf6VZ4yNie9kHW5YKYFSdUvE4++Zvj3fpi+vgoR+ljSY/gk6adIqpBdrNmM9
+BBa0/tclAgMBAAECggEAMnqj6kQXt3NAL45GZyhgVL23mgFDab3lzifL0rxM1ysd
+GxVYNEAvpgEIlS27dIKWBriyHWmd/ADocpQj3ww2pW9oKbm01NWFPYXSRWql5EfJ
+gMfwpx0aTGgAifVJHgCgGZ43vRM1zstJjZVH7KI2lh+ryn9NdzfsDVqXAcVm2MQU
+yVTbva/z2rfn9QXjt18HCS0N0eJPbjeQKuoj419CSlKmMzodGwP8L5+rzf98b4s7
+OztI3ugXadxky6/JCtZ9VdMocyq5KTp69AfMTRwD00hsXa6n3qC0u2xgyMHn164o
+MYC/OM6bw70hdhp4uVI2nrXU14TJkN+kWxtH7IZZQQKBgQDo4bgqF3dcyDghBYJU
+nO/dL2V0wk1pczx1Tws1Pqm+o6SzqTL8jIIN6PImJ1CNvScJHT0k14KhVIMiNQ12
+ueFdeNA8DpthAwxFsHDyljuYWGy/109HMLHFCCv2mbyH3ee8POn95MgVWRyPd93I
+mCs4J4ujqWihTTvmNKXPnXWW2QKBgQDI2o4gI8uZyD8vZL/OIu9uBjllceq6gJXx
+tU1CKm91M2E4SDp7C5adRfliNUpyNnRbFqgYWFcp1Lepy47X+vBKx1J7Eq8g2FGr
+yAjNNh34aqxclqDU3KCijV22T2Bx37e92CoBsKP0lOE7XUB0i8vVN63q5siUxnD0
+nAMuEZgLLQKBgA/uGM3wSv7yxzwjB1ZIYfQMYPFKtUboVhNkM80Rm0TqJsMPaOhz
+qBXRgHbxq4X2kWwDLwKNJ2dnw4ycem5LqsndEMl66lAJiFZgCmndsvfp3I6G6Opi
+v1ZOB8vXmljk6gwrUopGkxU6wkRiG660EgjGU7v/Q6P9B4LoyQrZp4iJAoGAO3yP
+b3Fqkac/H3hFXnX2V628PhFZJdeDkUzTDu+mhx2qg5LQzzSFbRsWW0HRRLZgC8JQ
+ErXHSvpXUxCYw9rsZBlYkl7cQ2wN9ESQZsbKZZKibeGmzKRzZvFbee1UcSWDM9Tb
+zBhW1s9pTb22o03sFsAg4FttuLJ1Ld0vC+vmDhkCgYEAvjX30SLWOYR9urCmlxQL
+FS53A6mfIc/Yh90Ihcrd9GlvrXcB8ROs9v2sN1reGikd9mIPBruPgmo0PYjXy+jr
+gv67hUCO4ZSXfylsRrbKDsLazbvQiTwO8+HXUivWg797sAWyKZiw6y388ivQ0Mxd
+YXRWT7gVqMxQGylZice+ZD0=
-----END PRIVATE KEY-----
diff --git a/jstests/libs/ocsp/ocsp_responder.crt b/jstests/libs/ocsp/ocsp_responder.crt
index eb9b94a0561..96b95e5ec1f 100644
--- a/jstests/libs/ocsp/ocsp_responder.crt
+++ b/jstests/libs/ocsp/ocsp_responder.crt
@@ -1,21 +1,21 @@
-----BEGIN CERTIFICATE-----
-MIIDgzCCAmugAwIBAgIEWIQfiDANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+MIIDgzCCAmugAwIBAgIEZElYIDANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
-IFRlc3QgQ0EwHhcNMjAwMjI0MjEwMDE4WhcNNDAwMjI2MjEwMDE4WjBiMRAwDgYD
+IFRlc3QgQ0EwHhcNMjAwMzIzMjIxMzA5WhcNNDAwMzI1MjIxMzA5WjBiMRAwDgYD
VQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxEjAQBgNVBAMMCWxvY2FsaG9z
dDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQ8wDQYDVQQHDAZPQ1NQLTMwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXaw4jKtBf9RUMQ3i027vJuGwS
-DwfR+D58FgJDq759npcSsWwwrMiiKd6vdKLufs6r3uVGfD9iyiJkb0q/k0d5Yh4V
-8nViZcQ5Lb/k0xBWC1NnJehVnHIUSmYgYuJxH1b4lurHNNbsRa9mGZyWpO8yJfJh
-QXDJpKm0zGZwKHASA9VUSIv8VrhsMeLtFilZToJfM+1yexs8B3qN9bzY6udsoZmC
-Bo71yEMvqSh0U9e73EhhLrv9SS+dbXHi1xITXlzRMebec+SjS81Ifz1nqSep0R+F
-uBp5oz6wjJlueGStYbHJ7Ow6gkg706hvAcTseUhL4tHsXPVgUQ//RrBj6+tpAgMB
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbiJdoDByUfS0umJF8hwsJvV3u
+xcG6UQ1gL4JR+yP/Frw7emIkKaSagCQTjwvhmiera1QVa5HxofSikQr7gm1qzpjO
+KlDK3J8CBlAncPYbThde9E6dWZS+GQeTFh+NDo6NNwopBgYIpWkwq9cgAJYgYxcV
+HoY4AXWeoshcd6dSgqY3lr8la+qDgqCbxA02dEPQWW+LDZq2fdiNRwbqvVJd1TGg
+b6lfZB/0pv4LRHqBvRcKjlvieX/ntfsNgja4rqUtbsZnspXnoZeD2A5dADsDhBc9
+oSTxn6ofp2QIeJHyLqkhZH+pITrTH0kfPrrYNSBCe/488EWwppJAse/D2u3TAgMB
AAGjLzAtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMBMGA1UdJQQMMAoGCCsGAQUF
-BwMJMA0GCSqGSIb3DQEBCwUAA4IBAQBpS/gt+LwW3rrRxBnVWhGUef2ZcxUoMW3t
-iY3I6AaRycsZ2D5TLZVRL8rrULd1YiaJShVy3UnC+Hfi/RMoC2zQuXApt/v6faL1
-gqEZNlgm1oB/sxm5P47pId8bHaaqj7C54KwDFey+ybZgieLFPjZUUKWkg2NjqpFq
-C76cp57KXKO3RWsGHNWq+F3EC+fRQPlajSacUdzCaK+NJAmGFFt7xSla/2cnCxLh
-ACBPzTpVCBHAYoVjHPKvQ6czUemD8WO487b5Z6eCdIv+TVQxmuzHzZgKOMTDBLCg
-6UXQPrJLG4yO7o+NvqHrjUFR0XsVT6zFjFHf/rRzYRikr0UaDdMu
+BwMJMA0GCSqGSIb3DQEBCwUAA4IBAQAj8rZyNTvjuVfPNjGu5c+Yvh8wEoQaABhW
+5IEHOiFUpwDbJjYA84DHWn+LRShInp37M1yhg9UhsmJC5MEBJa1GQOlkdk0T92qG
+TIvcq8nQjxQ+unro6wVGO8AzCZ5ECxUozNhlmg5ukMiGkSpABd60r2WsRFt3Tqdw
+ZtiYyIIW2JV7KyRAeM52D5U3gdEc4rTFYCsldNw3bB09DQ+2J0EQgUQHlZfGBAyj
+FRzxOzxp9pYE0qJhQUB1+7+udV+6nA7gU5mnAaBazoCGXxlvcsJ70wopCtBppLY6
+WFBuQAXYSLW6dqhh1gOLq2xlqyo5I3O869v3AIOpIpSPzwQxf63v
-----END CERTIFICATE-----
diff --git a/jstests/libs/ocsp/ocsp_responder.key b/jstests/libs/ocsp/ocsp_responder.key
index a47d6ad1786..5070994bb76 100644
--- a/jstests/libs/ocsp/ocsp_responder.key
+++ b/jstests/libs/ocsp/ocsp_responder.key
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXaw4jKtBf9RUM
-Q3i027vJuGwSDwfR+D58FgJDq759npcSsWwwrMiiKd6vdKLufs6r3uVGfD9iyiJk
-b0q/k0d5Yh4V8nViZcQ5Lb/k0xBWC1NnJehVnHIUSmYgYuJxH1b4lurHNNbsRa9m
-GZyWpO8yJfJhQXDJpKm0zGZwKHASA9VUSIv8VrhsMeLtFilZToJfM+1yexs8B3qN
-9bzY6udsoZmCBo71yEMvqSh0U9e73EhhLrv9SS+dbXHi1xITXlzRMebec+SjS81I
-fz1nqSep0R+FuBp5oz6wjJlueGStYbHJ7Ow6gkg706hvAcTseUhL4tHsXPVgUQ//
-RrBj6+tpAgMBAAECggEAZzHGtPwWlFFQwu4zjdhRjmHFi6Udpu1X6ZOVhBtrBryJ
-PJA39t1ew6hxH/Ys8zlWAimmBe0RZF7WuOxDj6CbNb/WD8d1iiycIpQTAChIBCAq
-1Rfow9JNKAE4CT21omFUBYQudj2O0+LSEoQkaloaqBhbk1GJGV/DWHQugn4sqcPB
-TXw3O1FNgeUd8DQoOlAm4V8oUb7MF7vgSajv3Z9r1eSFVwp8ZNyNLkG+kCFcYl1A
-VM4HmM6pFokgEypgVCncJuIpul+RQZ6JTitqR5kp7TdOAKSsm+Pxbk92jpo5CKo6
-rdmzURmPEbGYrU1CLnp/TJ53pTyqboC0jvzNqqyu8QKBgQDvgkDtI+4B9uLijn0g
-WL6K2QoZ1Y5zDNlKA5o0Bvi6FlYL6XeL695nEn5VSe/1bY+/sv9S7DM/5binDjmb
-AS3Amb6D0IWwBwGQHNZo7XlIXtMtQddHwNFGrMTCRinbvoWi+ezB5ZMui5tUdx2K
-a5Fxx9Hoz9kMAB99UUa+Pa0NhQKBgQDmQCnxlNCXDhBKA+w2V/rmJsR7JB6aQK31
-AKXv2f/+orihJSE0T78Ip06+1ILZbZ9AkprYrqmuvEdqX17vWUa/B2Ed2pK6Gc8J
-zTyOKfAxLIjHAfqYrQ6wtFwkLmARvpniTnG18vJHco2FCnmy1jFRIyOv/m6ZblLd
-rRE4H+HplQKBgBAaG69VuQycwogkuDjSfozrJoiyGM+XT4xwTY+t4E7ybXqDiav4
-gY1Aawnk3KMNaJqkuBGlG5TyJsXkaO8I10CZlXtbK4G4FtzPc4K+ZGb/KQdj48tJ
-JUixGNFO0kWZu3ZHgylN++UnMZwuHehObwrNOkmCn770yykrq6vijZ3ZAoGBAOYs
-YIHDfZ50Da6gK0PMQeJQAP0FB562Z/BTnI6gxHveWWmmf4IW8mcJMfws3z3Si2/2
-3tscCD7Isy/QdUwaWFHhY6F/fkySPlmTFSUdIaNW3Mjs3oJABj55nt8AiUNT4evM
-9Xmpi7AHARhtd2ljHFv7H9LxK8kv86DtQRh1LtbdAoGAPW199BQmbed5bwIPiLSf
-8tAoH/kzar1uJ0qczJgsR4FT9twsIhPPc3XNWMFstAf4FkAYm1R3U7Q7v+pt/EzH
-MbvnOZnNbzpr11QMSgTJ07bepyJrDFLQvqKNULNnsdh/z/OT5RLzA5s2zRnxC5lJ
-SgAimPJE7JO88XiqH8q3u5A=
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDbiJdoDByUfS0u
+mJF8hwsJvV3uxcG6UQ1gL4JR+yP/Frw7emIkKaSagCQTjwvhmiera1QVa5HxofSi
+kQr7gm1qzpjOKlDK3J8CBlAncPYbThde9E6dWZS+GQeTFh+NDo6NNwopBgYIpWkw
+q9cgAJYgYxcVHoY4AXWeoshcd6dSgqY3lr8la+qDgqCbxA02dEPQWW+LDZq2fdiN
+RwbqvVJd1TGgb6lfZB/0pv4LRHqBvRcKjlvieX/ntfsNgja4rqUtbsZnspXnoZeD
+2A5dADsDhBc9oSTxn6ofp2QIeJHyLqkhZH+pITrTH0kfPrrYNSBCe/488EWwppJA
+se/D2u3TAgMBAAECggEBAKa1L/yUDfP4pqHWu8wrpIct5THXvIhm2lhrW3Qz2R7x
+vdkQ04wQj22/1yV/IA+eh3dV1pE5kadDTElTCVr6rWpJHqKYYafbJ2hbMOzyjAEq
+KPczYKt+hkRhL25Tg3wTTM8Rt8Z1S4mvSpTqOT+VEmvfs3yXJGdNPGtNxAbr2gT9
+xzfHtvcJsx40ZG9UNv419SAw0n/zcCRiP4sK4+aI4vfjpA8RHUjsYSxDuwLUVh8I
+XCbXOAbgxFUIgNL2ldftZmwBpCPxpE3rgpu7aOjTMJXuunNU2QAi8oI+8OsWP6zK
+O0gBwiCAULCGhjo8OZN7pa8H9G/jMZg67lXY8mkemaECgYEA9mgU5kS7wral6uu1
+yQY4Pm6hL+JKysC90Z4NTPM8LT0Pi9CKNJhuUJ/po5V17p5wMp6E2SZU9YnqqnIb
+tBK0hkOTnXEZYopfXAqM1fCnJUOnJ7OpTgVC7+7aaAh7oIQNogRZ2V96PZ2r6RpC
+S8HykiF0bTCRAv0JoRE9IS/mV8MCgYEA5BSrEoBw5OSijHciZJ/FfJzxSV9I6kmo
+E78h3STtRMpRwRo0iaqqOVBnXtcH/ptZYtLjkcaA9g0h53D4idOiOAJDj7DFKOS3
+QpTe3U/gJzphaVuvsEGShlfy/LhPpNi3vEhqVPXO9j/0HVBOkZV8Ev/bonoW+upS
+VhHwT/bCwLECgYAxHj5MSJdFETOxyJrMH7lGeLcY3HscP5+XEXKFTFdKjUl0DXX/
+VgNnfvkL6tc/YcXr0T2aK9HzwDJPF7/9/VyPBxl94PW2du7bYh8A5p/rBblkaKPv
+MY1OVsaixk4eiTROf5+JfUbY0X1bUii1AUxhZNnYij3d4qLwwIb2/p1kEQKBgQCy
+d52493nfESxD/0CRPheYv3FqOT3j3ci/0tIbqbZjGnDIScoMYteZy1lnc5jU2Bgk
+ZOIfAhWM8o+x+srvhgMsElFtUSOlMPpZBgYxZDwAVgU9HLonj9eoeY8vwsTHN7Dl
+ikBxxHmyZC6O9XTVJAQXFc91nlT2931/zb+dwnd3sQKBgQCzZiAtoRjeZn3wc4C6
+RaDaSMG5n8xRYU963ZCPTDfK8Qgx3NfdsDy/Hgkj4R8MdrQIfyY5CRLNyaPi/lIE
+yhL0Sn5R729pQOaVG8qPOJtNzH7DYJCIY8Kx2QzPOxQAb+SSrMPQkngOcSIwX4QK
+pyjqsXQo2XBTKIgErbtybZhzhw==
-----END PRIVATE KEY-----
diff --git a/jstests/libs/ocsp/ocsp_responder.pem b/jstests/libs/ocsp/ocsp_responder.pem
new file mode 100644
index 00000000000..fffb4c003dd
--- /dev/null
+++ b/jstests/libs/ocsp/ocsp_responder.pem
@@ -0,0 +1,49 @@
+-----BEGIN CERTIFICATE-----
+MIIDgzCCAmugAwIBAgIEZElYIDANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
+IFRlc3QgQ0EwHhcNMjAwMzIzMjIxMzA5WhcNNDAwMzI1MjIxMzA5WjBiMRAwDgYD
+VQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxEjAQBgNVBAMMCWxvY2FsaG9z
+dDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQ8wDQYDVQQHDAZPQ1NQLTMwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbiJdoDByUfS0umJF8hwsJvV3u
+xcG6UQ1gL4JR+yP/Frw7emIkKaSagCQTjwvhmiera1QVa5HxofSikQr7gm1qzpjO
+KlDK3J8CBlAncPYbThde9E6dWZS+GQeTFh+NDo6NNwopBgYIpWkwq9cgAJYgYxcV
+HoY4AXWeoshcd6dSgqY3lr8la+qDgqCbxA02dEPQWW+LDZq2fdiNRwbqvVJd1TGg
+b6lfZB/0pv4LRHqBvRcKjlvieX/ntfsNgja4rqUtbsZnspXnoZeD2A5dADsDhBc9
+oSTxn6ofp2QIeJHyLqkhZH+pITrTH0kfPrrYNSBCe/488EWwppJAse/D2u3TAgMB
+AAGjLzAtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMBMGA1UdJQQMMAoGCCsGAQUF
+BwMJMA0GCSqGSIb3DQEBCwUAA4IBAQAj8rZyNTvjuVfPNjGu5c+Yvh8wEoQaABhW
+5IEHOiFUpwDbJjYA84DHWn+LRShInp37M1yhg9UhsmJC5MEBJa1GQOlkdk0T92qG
+TIvcq8nQjxQ+unro6wVGO8AzCZ5ECxUozNhlmg5ukMiGkSpABd60r2WsRFt3Tqdw
+ZtiYyIIW2JV7KyRAeM52D5U3gdEc4rTFYCsldNw3bB09DQ+2J0EQgUQHlZfGBAyj
+FRzxOzxp9pYE0qJhQUB1+7+udV+6nA7gU5mnAaBazoCGXxlvcsJ70wopCtBppLY6
+WFBuQAXYSLW6dqhh1gOLq2xlqyo5I3O869v3AIOpIpSPzwQxf63v
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDbiJdoDByUfS0u
+mJF8hwsJvV3uxcG6UQ1gL4JR+yP/Frw7emIkKaSagCQTjwvhmiera1QVa5HxofSi
+kQr7gm1qzpjOKlDK3J8CBlAncPYbThde9E6dWZS+GQeTFh+NDo6NNwopBgYIpWkw
+q9cgAJYgYxcVHoY4AXWeoshcd6dSgqY3lr8la+qDgqCbxA02dEPQWW+LDZq2fdiN
+RwbqvVJd1TGgb6lfZB/0pv4LRHqBvRcKjlvieX/ntfsNgja4rqUtbsZnspXnoZeD
+2A5dADsDhBc9oSTxn6ofp2QIeJHyLqkhZH+pITrTH0kfPrrYNSBCe/488EWwppJA
+se/D2u3TAgMBAAECggEBAKa1L/yUDfP4pqHWu8wrpIct5THXvIhm2lhrW3Qz2R7x
+vdkQ04wQj22/1yV/IA+eh3dV1pE5kadDTElTCVr6rWpJHqKYYafbJ2hbMOzyjAEq
+KPczYKt+hkRhL25Tg3wTTM8Rt8Z1S4mvSpTqOT+VEmvfs3yXJGdNPGtNxAbr2gT9
+xzfHtvcJsx40ZG9UNv419SAw0n/zcCRiP4sK4+aI4vfjpA8RHUjsYSxDuwLUVh8I
+XCbXOAbgxFUIgNL2ldftZmwBpCPxpE3rgpu7aOjTMJXuunNU2QAi8oI+8OsWP6zK
+O0gBwiCAULCGhjo8OZN7pa8H9G/jMZg67lXY8mkemaECgYEA9mgU5kS7wral6uu1
+yQY4Pm6hL+JKysC90Z4NTPM8LT0Pi9CKNJhuUJ/po5V17p5wMp6E2SZU9YnqqnIb
+tBK0hkOTnXEZYopfXAqM1fCnJUOnJ7OpTgVC7+7aaAh7oIQNogRZ2V96PZ2r6RpC
+S8HykiF0bTCRAv0JoRE9IS/mV8MCgYEA5BSrEoBw5OSijHciZJ/FfJzxSV9I6kmo
+E78h3STtRMpRwRo0iaqqOVBnXtcH/ptZYtLjkcaA9g0h53D4idOiOAJDj7DFKOS3
+QpTe3U/gJzphaVuvsEGShlfy/LhPpNi3vEhqVPXO9j/0HVBOkZV8Ev/bonoW+upS
+VhHwT/bCwLECgYAxHj5MSJdFETOxyJrMH7lGeLcY3HscP5+XEXKFTFdKjUl0DXX/
+VgNnfvkL6tc/YcXr0T2aK9HzwDJPF7/9/VyPBxl94PW2du7bYh8A5p/rBblkaKPv
+MY1OVsaixk4eiTROf5+JfUbY0X1bUii1AUxhZNnYij3d4qLwwIb2/p1kEQKBgQCy
+d52493nfESxD/0CRPheYv3FqOT3j3ci/0tIbqbZjGnDIScoMYteZy1lnc5jU2Bgk
+ZOIfAhWM8o+x+srvhgMsElFtUSOlMPpZBgYxZDwAVgU9HLonj9eoeY8vwsTHN7Dl
+ikBxxHmyZC6O9XTVJAQXFc91nlT2931/zb+dwnd3sQKBgQCzZiAtoRjeZn3wc4C6
+RaDaSMG5n8xRYU963ZCPTDfK8Qgx3NfdsDy/Hgkj4R8MdrQIfyY5CRLNyaPi/lIE
+yhL0Sn5R729pQOaVG8qPOJtNzH7DYJCIY8Kx2QzPOxQAb+SSrMPQkngOcSIwX4QK
+pyjqsXQo2XBTKIgErbtybZhzhw==
+-----END PRIVATE KEY-----
diff --git a/jstests/libs/ocsp/server_ocsp.pem b/jstests/libs/ocsp/server_ocsp.pem
index 1de7322ab97..7879c32bf5e 100644
--- a/jstests/libs/ocsp/server_ocsp.pem
+++ b/jstests/libs/ocsp/server_ocsp.pem
@@ -1,52 +1,52 @@
-----BEGIN CERTIFICATE-----
-MIIEBDCCAuygAwIBAgIEKjhRkjANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+MIIEBDCCAuygAwIBAgIEAk9cADANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
-IFRlc3QgQ0EwHhcNMjAwMjI0MjEwMDE4WhcNNDAwMjI2MjEwMDE4WjBiMRAwDgYD
+IFRlc3QgQ0EwHhcNMjAwMzIzMjIxMzA5WhcNNDAwMzI1MjIxMzA5WjBiMRAwDgYD
VQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxEjAQBgNVBAMMCWxvY2FsaG9z
dDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQ8wDQYDVQQHDAZPQ1NQLTEwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP2dV86UMFnZ7gln3waKS+4Kb2
-VeSTKkxc9S9yl16Mmt6Qfsgs29k7mJ2PBvGwzDdD4n3Nke06cEmTmnRDjxvHop/l
-C5QwKvd6KvjhCOnACiOt7j0pf8cYs+CRq8k8kDiQUKhwHnhUlF3mC8HS2U3NcPDo
-VaCF9H2RIDt8I/tOiHxTMe8X69SD1INAAeG8kVxAAMq93mcdyqwc9Q67/jM9HFdG
-9K0JoCitQnaFETUXZGYSR9fcYz4G4JYEK7cmX/bOglPjjxmmRw1TrPtJaHYGG5GV
-t4fSGaQP3kKSO7cNgOEvQe2OezfMtg7C29QECn5WnaOMpNAVpowhGR4fvqVtAgMB
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe9084Y8sIYDBCwqbVgX10eD/T
+cieCYVJZqA5IK5BfZNd7k6nxmHzwU5qTmz5Ez67ZCeAt12dngQRXp8wAYEDDz0oX
+3ngOOmFRPRCBcQ0acQO7lpxT8reGePXXxVyKCSxJhFUcWZeaj1nyuHSjpnXln4Cg
+rZcN2/OMR8yrWP/lFl5GYp7GW6nfIL/fnr1PieqmMNRvcd1T/pIz459Peu3akU/V
+O12+lYlmTP2lXfnSOb2BIxZa6D8djsyRjONnHI7jVU2XjWODgcdflkkjz1EHhjLo
+9EqlChrCKpEUremS4pNEGaR6VsOXc9fsiAm8gBtBplu58Wvs4mpt4fsfnb7XAgMB
AAGjga8wgawwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
-BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBSO+zgwOcL+SDSFVwpydLv7fYqVyzA4
+BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQbYPpxUWvNYCV7l6pXcP91BS2DpzA4
BggrBgEFBQcBAQQsMCowKAYIKwYBBQUHMAGGHGh0dHA6Ly9sb2NhbGhvc3Q6ODEw
MC9zdGF0dXMwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
-CwUAA4IBAQAdzCqhH8sTwD5VMsgIPRRd4TJk/LJLQyREupLlnVgfNQkThD/n8dmo
-rMCKNi9tEJj7g8JNL5y2Dtbj90mdFZtHRKx1VZeEDGTvlv/B8yQ6bagEjtffeOsz
-sX6Qt+2XZH8LLzpWYiU8i1htBsB8w8h9/V5RIjdJgYMQXl5S+fGQ/FYD8850nEWM
-NZCRkzm2g8necZjVkXkoi4iOnuST1YgrHljTI6Iqm5j4OYSjpiSvJo990YfOW1Ig
-k7ShPgggyzKouiXnw1D4S0b7B24q2Q0Beud217xzowsh+ZMjxvOCtlcdYk6e4UDl
-dwmNyR8BAh4VMyp3Pqy4ZvOOfFUw57ig
+CwUAA4IBAQBjokH0iKrwHUmzEfnB9ALDfgL3AUsC/q7AnC4DSvylM6bkUYmsS5Os
+TA0twsu9AQlwMHkMRA6M+4yaGAMpPCHnIeJRhrOK/8lUSm3TMa0VeIvj/Sr2wf/Z
+iOJTqgrI4ZA7oQixWBlA4L2EB3wIomv27rMSPB9wW9KHCRArKEW/XZJ8hbkTHq/F
+20eyEN9v+cfJ8GEKJ1eVqHxXFtug9XlDUnvvDwx7e1uoX2UgrnGp0xJk13ek0eCS
+BiZb2RBRG0fZ/eQzIhUWfvKbmhtAr1luPkEIb2o0bt1oEgDE2NHVbg2V5vdvwzx/
+ovURi6pEsdqNQVxztanr7UBiebBr3KI1
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDP2dV86UMFnZ7g
-ln3waKS+4Kb2VeSTKkxc9S9yl16Mmt6Qfsgs29k7mJ2PBvGwzDdD4n3Nke06cEmT
-mnRDjxvHop/lC5QwKvd6KvjhCOnACiOt7j0pf8cYs+CRq8k8kDiQUKhwHnhUlF3m
-C8HS2U3NcPDoVaCF9H2RIDt8I/tOiHxTMe8X69SD1INAAeG8kVxAAMq93mcdyqwc
-9Q67/jM9HFdG9K0JoCitQnaFETUXZGYSR9fcYz4G4JYEK7cmX/bOglPjjxmmRw1T
-rPtJaHYGG5GVt4fSGaQP3kKSO7cNgOEvQe2OezfMtg7C29QECn5WnaOMpNAVpowh
-GR4fvqVtAgMBAAECggEBALYTeuLba+zFcOIIsvYglQDoxxnPkFYinZZo6lGVrCu7
-lvA5P52cUSXVwWADk0FvA5KiG9Yy2P9yUeHNUb/E4270VOFOTVgMq5IHhtGK/0lN
-GIhKxKVP29cV68lwFO7K3+H75jGhX4OoHMFi1z2fQnqPT1oXeHEgBcdV1wYedw0J
-Csi40KKxD38DOz35aL4nYIWQpsnqOvZl/BUtJ9YwpLi45maMaXZS0BwEhdfW04CJ
-BLgpN+bHWIqwVkbyp5oGFkQsvt3WhadFJ5m+FR9lJDDvQ3UAunGaOwsNt13Uivne
-gIX72nW6U//4dZhUjAwsmYZMEPwPgrSPC+dfmE7Cw8ECgYEA6GLKi1dhZwVBoVZg
-/FPYExjU1EWwx6fc+7/Sb4zqrr8K7GAiTzDJRvkeP+Slq3dnA872VzMoSR0W7WBQ
-Kr2SaAMoElua2cLtocEHKJPrYhQAHX/WtND4mgGYuUSYKGUbv2MUydFlTPNb+a8s
-8XgqlI0+qQUz7qLNQ3h+N0xSvVkCgYEA5PjMO1hwTh6XeWlTq1gLxu6/0Vubu7qY
-X874zurnDkPp15CT/e1nXX63zZXQLwJGr81o4te71Eo3q7F9UvjzcQPT41wtRoYz
-8QyUi2H1Y0GCZU5/7eaKY2udvIzFoWlBeZHCfhU7C6Y0Dn3dJsSp3qA0t80+CLKi
-M8m0AhQgwjUCgYBc7/WVGJMpwl5nCcar41RM/udPJbf3gVjNjf+5ASByVpEly6St
-CxPUQJkqcGUZWB1o1oKKiTkZVHrw4E3vafV9h5WlEeGyKVUkFbCpN88xYFJTeecC
-VXi3DuBnZ9l6fkVEm3ma5RWgWstz5e0RfT96ParLqfsE+zMgQrYno2yLsQKBgBa0
-wXQFIiXtDLJiioSMV6ajmGwHfJsSNvgRS0UhsEYO4AqbcMGWoFB6N3nwqFNxE1dt
-tEACisLTlU+2ayomO+XyLjn2sxqyRkZaLATicvYj0e1/6lnKKeEQE/VVtGd8S5zl
-onbkXhWapsDlJGAq0nmcQ34SoVs1c7ZVAz/NhS4dAoGAMV7ukfLL22F2ZRDzf8Fu
-q2U5jHxT36uUjWj7tn6YC8fJ51MGLvVui+smE1Mh8xA9Z1PLx1Se5qhZj6L4463O
-2YvFEFXdyd43BLBGP6ghECzfgWlZNdgY5CGESP8p/+UOp9I5q0M6h8D/ZoM4TxY2
-mFrqhyTjOKb+xnuLzzuQZqw=
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDe9084Y8sIYDBC
+wqbVgX10eD/TcieCYVJZqA5IK5BfZNd7k6nxmHzwU5qTmz5Ez67ZCeAt12dngQRX
+p8wAYEDDz0oX3ngOOmFRPRCBcQ0acQO7lpxT8reGePXXxVyKCSxJhFUcWZeaj1ny
+uHSjpnXln4CgrZcN2/OMR8yrWP/lFl5GYp7GW6nfIL/fnr1PieqmMNRvcd1T/pIz
+459Peu3akU/VO12+lYlmTP2lXfnSOb2BIxZa6D8djsyRjONnHI7jVU2XjWODgcdf
+lkkjz1EHhjLo9EqlChrCKpEUremS4pNEGaR6VsOXc9fsiAm8gBtBplu58Wvs4mpt
+4fsfnb7XAgMBAAECggEBAMvjCK0/DBVvqBIUX20TyT3tDCh11c0y45QaylySgaXJ
+2AYoBJppX66ANPTPXESeSXwsvLQOqn8KiocBaNnbKr4j2tQy2kPgfMdF+Mb1Mw8/
+0zMByZg2dj5gdCbIUhPjyXy8pvuSrcBnX9BFflt7x4mfroa/1kaVIIPh0DXL38yC
+TvGkEQFHFTd7BB2aOjy10TK8XByIEZXGtJXM1tXTABxSA0/TGGH6ec2p0hCOEpGj
+Zrv5KOvWJVd2MSdTKk5ecUAgd/1Grqf1TLZ5gU2jYoVq6p6Aj4UTdDpB4J5hstAP
+iApNUlLJpl20hiDagef296NYImgJr99Mhxj3imht33kCgYEA/0iNQA5mW+auM//l
+sKo+OD1jyfCUMI5uVioeP45Z7r2DgSpTHSMs7bI2vsGgbJZVZ9bU8SGFeWw8RO2f
+Wy98ppazgVYGpdfYRXI8j394qO2wudg0RRFk7GpjVMEwt55aCbsK5CaLTMvlx80P
+w5r05IRLFu2Hd7PfNSiCWAWq2oMCgYEA35eIxEgU2ngjAjcNbe0FnY1uzraaQhGu
+E0IWahfp9Keqn68CuBUgrpEZTRU7ZWWpNDDA/bgj7QhaJvktX+K72bI4EoBRWVRQ
+bSv8Xh2MyG81/geOe4dw6BvEx6oQCxRM+NB/EKKd4CWnkNzKMIOcObuaEGnj97IX
+v8VaBKi4qh0CgYAVw0afZlrdjM3fCvq209yYCMvABG1tska/u7l2a5lJHAjg8w3A
+1yXWYbH/ExytBSfkwVDH+baaQlrk+WjzahnzTbeh2AabDsqWKQX2qcRMim7deQwD
+s1bqPKuZJxsTHEHKwJJOHucTNfKx1M56O3STIqAQJVG+J6xoqLpr7JfDJwKBgQC1
+A5gM2BJR4ErvYyRzJx2RtMvNfFWcQXX9T1aYI64bjJX82xHHeAtSaFPkbNj+OPRo
+NUQ45BfpsQZTYQ2UABp2nur4R3wUZscJ6z9P7npoVmiOtQ1sAnWs47ZGsu50GcZK
+9Xi5Pf20Vqe3BpiF+DbFIpUSzrdpc3v4nExJU1LVHQKBgQD35hNSA7SK05nYopcf
+yPf3dp82jgMW+EcyQoBphGXxBhmp28am4t1NB7Cco0SlJoOlQzYhor7EcONbck2S
+zQIB2wEBKPSme5k7XYPWE7nPsWN7tHuD+vdSR1e3I3HXHql4KcEDYb+rtEKj2zPc
+aGlsE5CspKyK8BKyK5eiNSxl+w==
-----END PRIVATE KEY-----
diff --git a/jstests/libs/ocsp/server_ocsp_mustStaple.pem b/jstests/libs/ocsp/server_ocsp_mustStaple.pem
index 034c38f5cb7..0be077f7853 100644
--- a/jstests/libs/ocsp/server_ocsp_mustStaple.pem
+++ b/jstests/libs/ocsp/server_ocsp_mustStaple.pem
@@ -1,52 +1,52 @@
-----BEGIN CERTIFICATE-----
-MIIEFzCCAv+gAwIBAgIEfE5DDjANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+MIIEFzCCAv+gAwIBAgIEX2bBSzANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
-IFRlc3QgQ0EwHhcNMjAwMjI0MjEwMDE4WhcNNDAwMjI2MjEwMDE4WjBiMRAwDgYD
+IFRlc3QgQ0EwHhcNMjAwMzIzMjIxMzA5WhcNNDAwMzI1MjIxMzA5WjBiMRAwDgYD
VQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxEjAQBgNVBAMMCWxvY2FsaG9z
dDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQ8wDQYDVQQHDAZPQ1NQLTEwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDk5NF4b4c9HaxZavKKX2TDUWcI
-lV30sxg7xVwFerX5KAszbVrPYo5LVHF09bU1dQ6Aqrve6RfnjTtQcAZ7nMSSbP21
-8vC0rjfa/RBjDtjmOEX6nFMHZCK7Ed4fLtQwQ7khICJP2NyMCIF2SXN2kpTZwVEO
-XlVhI9JpiJIaANURzYLaJYOHW0k8J4cWSNiuGhy/FCAR9XoNG3+aqDQnIFGvEGfe
-7EASNWnGGd+46dKYg8LpJIBRYGLopQNkokjkX1BRdZ/WU4KC6iXT5XssSCjnmdn1
-JSzUmHI0s7F4qtKpjfw9V40J5LKPiAWOE4C/kW8gKMzx1BZpuno6edKe/vGBAgMB
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC496gVaJeZ9IL81B7BBJbkDXfs
+g8dc6Vhq7ESv2U3B458Zoc8CM2AhZVm0c4JZKKGJxlZGvuAVIb7Po/Lu+4yt84Qp
+AkV4kLicXCddH+7WhYPhcCXPYX94kFl4/+fBmaDM3SwHO3tUprkDOCYUyEkbS0iK
+BJSIfVcxte9BOPFxbpj038YRvbmhOr2z8ws2vv/g/AGd2H1fEdhFJAgMMgIpG+ya
+WN54RNNN7ZXSSqqGO+TX771pfcwi0eaJ1dTIOJlmhQB5aDGuKQSJKrDqABaLo6Hr
+hXqrHAePiUDeDRNm8KA4qh1dJSJCVwTIVRADrIJbFpT5w7n892P9iSsaUslBAgMB
AAGjgcIwgb8wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
-BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBSEVsnlV5H+NlpBYnO2Vw1QFzcYETA4
+BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRpGGOvFixRQgvIGNAkvE8QMOEQDTA4
BggrBgEFBQcBAQQsMCowKAYIKwYBBQUHMAGGHGh0dHA6Ly9sb2NhbGhvc3Q6ODEw
MC9zdGF0dXMwEQYIKwYBBQUHARgEBTADAgEFMBoGA1UdEQQTMBGCCWxvY2FsaG9z
-dIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAuzl6656f1T+8pYGPGjmaB8wAKeza
-GY4DoQ6hk2hHmKLXl1ts8QEy/cyGDaLWfNMsqO9EQ8ZV3N78AjE5k89oRjklbV6R
-P0PpkNIdZAHXlq+cwRgj0Yi9O/+PpRtPsYWZvpFyjnObWfAf/zusR3DvQK0+zYOO
-mGZmSs7eAZkH5aw/N078W9GW9S/SZ8TWS//G4ws+Dy6MBma31B3S3Hd6+QYwADRh
-C0W5WZ5MJSAfZLbLBjZjoCTCp1TJA43Ej1kkcnvsqcfb3Z2zDP4uC++aXE56pTLa
-6/fPLKAGUNtsL/di1BDse1Q55dtdVA9jIfsXEIhJ5Uk/ODe1BLBdqkXIDw==
+dIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEASG0ggheaBCYauKm1pSXS4PULTJdf
+osGtiGjy9K8pJxRlvu7Zb7QVgdpFROiqYFnNfRV2sovKtV8Xm8O6SCYpxDQfe1Qp
+NJ1pGHKRMqtj5wAPRe8F80aa9akm7hWuWB4yhlI0f76CAdO8qn4icwQLU7OPqDno
+fG4WrC0GqSfvQNM/6Qmlkk37U9yFxtRfL3/j8tYwznyKm2pAdE2hIpyGk5LNZawT
+gMb96+OksbwMVNxLPajLugOEtvq5ipmR5Hdv3NY7aSKxus3pXRpBJpzfUHECn21T
+c7jpF2uhNfjlHQnBywYxu+XHRxp+E3uvzYI3duDGWtF2mwodYqcRawP09g==
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDk5NF4b4c9HaxZ
-avKKX2TDUWcIlV30sxg7xVwFerX5KAszbVrPYo5LVHF09bU1dQ6Aqrve6RfnjTtQ
-cAZ7nMSSbP218vC0rjfa/RBjDtjmOEX6nFMHZCK7Ed4fLtQwQ7khICJP2NyMCIF2
-SXN2kpTZwVEOXlVhI9JpiJIaANURzYLaJYOHW0k8J4cWSNiuGhy/FCAR9XoNG3+a
-qDQnIFGvEGfe7EASNWnGGd+46dKYg8LpJIBRYGLopQNkokjkX1BRdZ/WU4KC6iXT
-5XssSCjnmdn1JSzUmHI0s7F4qtKpjfw9V40J5LKPiAWOE4C/kW8gKMzx1BZpuno6
-edKe/vGBAgMBAAECggEAbmBVDqGhcnxDpx7mdImJupIfgEke9KgEcJY8SLwi0lJY
-DGWYW9cnzPWcfI0b4/pdkvhB/j0i9NrrFl/fEG7Jb960/a94GXjFoIlWBJ6dQ28x
-d6c4dqD4CoOUPC9FzTxrIqkvQpfNyo0zeMn0ruICe3s4Thh5TY2Loq5j3bw3AwzQ
-jUyhxvgXKt8HfPBgtINKb2tBcVkw8brXOmCvSFGjU6pK/YjdA1WWZ8PGrRbj/rsC
-v1/IfL+pOW3nzlP8rX+oXrQvpIwPVKCdEMy81heu8JPpJ7qrzZVMqdMNui2U8rQy
-+vRfdjHFZvJSRH45mCoAwht5PhbU1PXmT3Hlkd1VAQKBgQD6KRdzNm76nAaMOGMg
-NT0uWx3szyyjDlkHEu7zQBjZdeQOr736pAZ50AH6ogUXjAA0jnGbt46bORx5bazr
-FByZr21gDa8B9AKUJ+lDSQOnN3uQPu825x7F5UHdHK7+Tg2P2XIRI02hHsnotggR
-HcmjusUfV0PhcdqSmFD0NLK8kQKBgQDqPKQmLKqUHra05Rudt5GpbNm4UqX060WH
-cxOBAGzE6pfo2RcAjN8LVHypV1xZmlyUqVWJLrST9IY0PksJikUD2AzIWimNx+A1
-SlfrO/CFN7jKdsb2nTb4urrb8IMM0tx89FmHQMd2uSOV+vIa59xxfNzb1jsgxoEY
-KzfnOO8d8QKBgH3B/onqyWuu2BPRnPNqEDGnmKmdlMD7y4Gk4P7kMBnSDC3d51GC
-98Zw7S3EGW828Dt7iF1Rr50U3t2kZxNebupLqF5rQplmw40ba0ZqBC4h1Do1iSg+
-k9fEYpH3g3lQX7z7AT7gUnw28CXOrMt+AAoRMFuLERLam5iqfbfmbhwhAoGBAL1k
-dt0e9HV7OAOf0+p8SNyS1J+CxAj6Smewli6SJ2A4xsdQ8JZTUO0aTQmnR1ZzxzO0
-jyKyjvOqnPCVBZsbH55yDDPbIwoueIzeJaRf/KPaYCHkVA+HIrGOWhQHrg6qV/j4
-oYMIz76hB7L3CtbSbp2cdf+SgpCHsE3YdAUTNdQhAoGBAKA/ZLpPfV0LYxA1M/4N
-VmIKvO1J0S5cHlZHpj7lnh6IbRJ6Q4LHJE4csR+9O0NigXncO1gvl9svMnzb3fxh
-jkp0NeQ4eTcIk4RGuyM/7epXz5HatQIDCHk8epm1zXNE2DYev7PDJJyeweup1piD
-ekxXiW/vDtya26RfJRsN5G4e
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC496gVaJeZ9IL8
+1B7BBJbkDXfsg8dc6Vhq7ESv2U3B458Zoc8CM2AhZVm0c4JZKKGJxlZGvuAVIb7P
+o/Lu+4yt84QpAkV4kLicXCddH+7WhYPhcCXPYX94kFl4/+fBmaDM3SwHO3tUprkD
+OCYUyEkbS0iKBJSIfVcxte9BOPFxbpj038YRvbmhOr2z8ws2vv/g/AGd2H1fEdhF
+JAgMMgIpG+yaWN54RNNN7ZXSSqqGO+TX771pfcwi0eaJ1dTIOJlmhQB5aDGuKQSJ
+KrDqABaLo6HrhXqrHAePiUDeDRNm8KA4qh1dJSJCVwTIVRADrIJbFpT5w7n892P9
+iSsaUslBAgMBAAECggEAchqtQQ+1vg69o5SDqFTZdLPuUCR3HxUAK223bbejJUHz
+Cw/rsRLacZ+hOBWtyqyrAmAtJxVnDQI1QMiF+/GINmMsG1RAYQD+Mc8TpXomj4Xr
+9m2FlaoyxcBewas0YBUSwm6KU6fZDD6Rka/YpidsGf9WL3Zl3tFbsdnnT5f+MheY
+eFPayE7NeNzK/ey07MUAVscFvDfqOeKzYR4ml1WXTSND1D9IN0jEh9Am04ji8XX2
+zX98rEtD9JkJatGz6SusUTVmUsKN7S+QNHlE8DZW1FfcV/l3eMVzEURTWcXjqY/0
+JyBxz+jeeEPykHknd+18r/P9uZSE7BEzlYgQqSNawQKBgQDhE7vdtO7Ec9eWIs3P
+Jez47aAFCh/BLs85heKmcVxkqz40PZVplzc3HNhAcZre3CuSMcT0+jXwRtRQ0+sG
+YOZoeubNEi56QUcKdUen9MywGTsuSJI58nTElYUjxH3f6jlE3MXpJZ4msdyDamaP
+WwJdqvXIihFqnbjGRVL5jcP/qQKBgQDSYTYF6DMGbZLzOKzoKznHGWgT4kk7BYGl
+5azWsdm1Qfk+93ZI0ryFx18Cd6Eyc25b6PZlgOc+A49RVm9VDmb1DrzOhpUt3mHe
+so9Fgi7XP61igl9wp1koBdEMPKM7q/S/jrJBwK6tFwbEvNhY0rqdkjRnnpjFAYDq
+TtD5UZ5b2QKBgCXdHQCaHIS9/CmMp1TOy4PA7eeLIXZtOn0x0cQwU9u3lxpQtd7y
+il5iItsMgYI2RbotVzXjFcnbEIKcc/A5wukWq9cZ1OnKK3pN6oUNwJVrWTJbEQZg
+jFY51REEUCyoCYRVI5IqOuXFjBQrhR9erxI03W4kE/P8noX0SZYjzDIpAoGBAKN2
+2S0Z0JvMBARsIx16iLhE63OXveLYUnZ+0R84rbqC+pGMYiIPbGBeG1qlbWDwA+3y
+Q5F26TZsOa2vhW4HdMQwoU+vjrZHNrB8+Ym+r3qchbInLtUvkrzgWCAz9XlmERPO
+Yn9oodDoNWAkg83wXwQUGBfzSSy6EFr+xq0SWANxAoGBAN/H+u2KCaj+kmRsHe02
+XOrOJbJIwB01YLN09MiEPmzGZYSs048bRZWIfHlafrekMQlWDIwFWdGLwQZLX9F/
++BOzfqZWAwxFloTMtQeSMuhQetC5XKnIaxX+QEN8aodUExPQHNmQcgub3Hfhaabd
+6G7HRtb1pM+U8NQABd9MSLvj
-----END PRIVATE KEY-----
diff --git a/jstests/libs/ocsp/server_ocsp_revoked.pem b/jstests/libs/ocsp/server_ocsp_revoked.pem
index 58d384bd065..1b41d953516 100644
--- a/jstests/libs/ocsp/server_ocsp_revoked.pem
+++ b/jstests/libs/ocsp/server_ocsp_revoked.pem
@@ -1,52 +1,52 @@
-----BEGIN CERTIFICATE-----
-MIIEBDCCAuygAwIBAgIEdaKv9TANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+MIIEBDCCAuygAwIBAgIEUS4NmTANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
-IFRlc3QgQ0EwHhcNMjAwMzEyMTg0OTE5WhcNNDAwMzE0MTg0OTE5WjBiMRAwDgYD
+IFRlc3QgQ0EwHhcNMjAwMzIzMjIxMzA5WhcNNDAwMzI1MjIxMzA5WjBiMRAwDgYD
VQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxEjAQBgNVBAMMCWxvY2FsaG9z
dDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQ8wDQYDVQQHDAZPQ1NQLTEwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCk+5riuNs47gT9ZD0KT46Hungk
-O7nxUqrNlXW8RzbL5pE+JFapabzrjU/hpkZF+Gszjz3qTuUjiLhgfiGuex8kS3/v
-1g5DE7SXUlwtdFASYXXQz65myo+TP0t2kWt3CXZPylECbY4slX9luBV8YkyO13YH
-UQENmBT/ugfnSVyhuTc/mL7JLU9e/5RiW9fmEilaUQ1MVvHgTz7OaFX0TSTCdUL8
-e9SZs8KIX2xSbqzhUtduw7Z8k4cebNAanMsa9YX5jc9L8qMmoFU4hTiaVQBAfAb1
-PzJLNC5U0bvLg65mW63i27GHW/z6C61a9UWNYNkZrjjsXNDnimsURbU+YoB9AgMB
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwQ162xzYf6pikHhxlREZAWZbz
+nG9TFAmx7OXz7vm2NNXbr0yANpQ5Z63JexfbXvh/yR/PgGWKgPpKFghNi9SFTy10
+fg4iNp4camb095+48syhCNFllOrjMT/AUW0y0sPkCkgtG7BL8fxk+k5+sbjQpj5R
+HYHOOtPml+oL2J7k4SdjsbrXtHFwEoniw1a+tkY95cEEYVFoGz2iBqWN4LdsF1Fv
+TVBklxFlouRy9GXu/m/AGNf6n/roXecO4TH3aMdmbacHaIIgcc+K/AR4FRpuqKMO
+DpTW177tRapp7wyoQnLn1O+X2YwA5AsMMW/ow2Pc21o7NeLAFuv7WDFCRSnnAgMB
AAGjga8wgawwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
-BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRVx5C0AUFPjTmXHyE+9CHZBRooMzA4
+BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQMiLcLIeDT5NBUOFbCPhyuymS0ODA4
BggrBgEFBQcBAQQsMCowKAYIKwYBBQUHMAGGHGh0dHA6Ly9sb2NhbGhvc3Q6ODEw
MC9zdGF0dXMwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
-CwUAA4IBAQCzCO2JLLzamVbR0OiHk0lSIqG19lPTUHhrohNLZu490AAZuoAOLvYa
-IwlS0uuUARXg5BIOcXbIyx8kyN/Frk9FpEs7eFUYKdd6LFkjhoJPxgMzmfe+7leS
-1gAHD51QnN5hHskbAh8X9D3Op9ScVEuT43nesNCf59pMnnQ/d1nKG0ZMyBHxuQya
-H94I2N3VFSEBwq2imnyeevrmcwCk9wVGkC1L+xPH0kDoe56N/wigD2+PKpw1X4mH
-C6mmp/IFHBRIgsqSm+xD6svAeYDsXlrJ0FUFFCkk4sYimif9VvKGofRHzlXK2hk8
-NntIaM5fuxaZQLixVE7u6SOKP05NEud7
+CwUAA4IBAQBUZ6Y5b3dJ5aePPjB0ukvr6OuubRcs5PtXnHtnUB2oboNr30q03OzG
+KX8kPzKMqn7NuEWPPvLXqHXW+mpcc0SVssSYKAQa/XSTq46hY+7S5J/2yezJYYDF
+RWMfPAteBhJjbJtkJU1A3u/WRmavytL6RH+tOiNOsHJwNrgh8igtepWZO6zDFVKw
+2rvWbTw5B34/sZEBgKDK0uWcg4hrbJ2WB9Z8JUx2+linsYtLSvOPoxVX62ffpWAy
+MkWh7utPn9NWGz66saisDGIEdjPoyewt1vXdmifb9pEcdhfuBSo1cWxk87GqW69T
+2lFdiHEMtjcyLOUJHSHVi9h+njE1OSdl
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCk+5riuNs47gT9
-ZD0KT46HungkO7nxUqrNlXW8RzbL5pE+JFapabzrjU/hpkZF+Gszjz3qTuUjiLhg
-fiGuex8kS3/v1g5DE7SXUlwtdFASYXXQz65myo+TP0t2kWt3CXZPylECbY4slX9l
-uBV8YkyO13YHUQENmBT/ugfnSVyhuTc/mL7JLU9e/5RiW9fmEilaUQ1MVvHgTz7O
-aFX0TSTCdUL8e9SZs8KIX2xSbqzhUtduw7Z8k4cebNAanMsa9YX5jc9L8qMmoFU4
-hTiaVQBAfAb1PzJLNC5U0bvLg65mW63i27GHW/z6C61a9UWNYNkZrjjsXNDnimsU
-RbU+YoB9AgMBAAECggEAfMPNYLF9D3NokJtyUc7SMbCBVJ1aQ7ZJdskVTTnppY8K
-vZzLcLiG5vdptnKA6D8yCr7DiuL5A8NL86TPIdz4MwFpkd0l0fIf+uOM088HEq9j
-YnL8J739j9Qo5FSamV2tfC+6zYQ+JVc1DZ6FmRfZX5hvKJ9IlZgyISX0/iKLi7yH
-neGSyoXtJHTORPXEQCVoCvviCU2GtEcvJgFnMkMC5Y6DabOG61zRwhxLDZavuQa8
-157tSknx+Vo3zgX9uqhFG5iU61+HTAGvhr6xm9IvAyvq+M6++vIeOehvwjgcID54
-5iGK1HblZr/3ji4pUZ/2Ln3iUcmSECk3KLKluB4V/QKBgQDUNNohtr83Qkw/iO1M
-7UANHTaxgYM8VP3GhXAnOX2fScFH5o5SA668SsT4q/r+iHdzAkLBSBoDtJ1KW+M7
-tpQK5a47MlGUZVFuC0/98DXxIsi2+FGcb3niRwTkxSNJHo2/+8o2tFEwC/j66Nwj
-/Byqzz2tcMfBbxZ2sLuYAVSutwKBgQDHB93TBgoysOexrAM/QOZbhcZRdJlPRXEi
-7TbnhEoNk1lW4MV9rKE1X/Uzc14uZcyK5hD6h4L65Y5UaNTNsCVrVZasDVVR3aKV
-iojMLMz2OOwVhyjVQ7ya6HTW7bUfAQk3av6HPzywK86y45+s9fKq2ybbXyxj+M4q
-dc4hIRRWawKBgAjWHpMy0emSKCypHgCLDJS/N6zSkM1tWJfwrIflm/aLErJUxm5h
-2t/aWTNlrfD1a8vtNyxnPTYUSkxzYRX2d1mw0L2ETeNZCLgFXpJbc1OUODluQ6+4
-8KFchbalAuAjlpF9AaGfhpXyma6RDcGt2N+/+3iCbr7+SjgtCdK9k3InAoGAP9VD
-DLokLSvVs4Miq3fKKdJWz6sgvG7eIUCJWmlwQrheb+G5FVx3e6HiB3VZ4HGfz3CI
-Q4GQvZ1AL8xLbAixh6I0p8vC8HWv/lwnEazQs6t/9EucCgImjFw/lOs6Ks5vQUnc
-hk3+zdXO/krI3HUpNikBZlw45XtXzABqcu+kES8CgYAZsUensmyPiChLw7vyy8RT
-1+wBAxH6Z6z8v+t2H507pOre9DvI2UzupjcOWitim7wWUzI6xd9Nj+8RU7C0zDW8
-ia47ccc20pI6iyHhMJYLXauRQ0hhDrV0QPFap/piIgjAElnH8lwrQxpGEr5+S675
-+ulUZj1Zl7XoR1Coip03FA==
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCwQ162xzYf6pik
+HhxlREZAWZbznG9TFAmx7OXz7vm2NNXbr0yANpQ5Z63JexfbXvh/yR/PgGWKgPpK
+FghNi9SFTy10fg4iNp4camb095+48syhCNFllOrjMT/AUW0y0sPkCkgtG7BL8fxk
++k5+sbjQpj5RHYHOOtPml+oL2J7k4SdjsbrXtHFwEoniw1a+tkY95cEEYVFoGz2i
+BqWN4LdsF1FvTVBklxFlouRy9GXu/m/AGNf6n/roXecO4TH3aMdmbacHaIIgcc+K
+/AR4FRpuqKMODpTW177tRapp7wyoQnLn1O+X2YwA5AsMMW/ow2Pc21o7NeLAFuv7
+WDFCRSnnAgMBAAECggEAOxor7Q+5N1R7YDR0gwQ0pikkM4VV0r6aTZ3IsVWFR7JJ
+r0MFXMxwQRthq3hp1HXwzzBKSVKdOabrxeHDYPUtCpI1BKWr6Y70z0RiR2usk+Bd
++vUw+WXIqOt/m+XxvqPraVCFSRLKt3xpjBZeMZ84AEZuCNbjCpqxKNXxdY1qIgZK
+U4RD9GWLlKHevJ6o+JohdvEtpw+3tXhpvyQVSMkwm+fXHMQP59Ckk/GBNCgSpv/x
+es7YTAQk+2WEFhy9pDPgyhGLxAMWZgi0cJ5LwtDe0ub30Tq/ZJL47U0XkOipXdnr
+8npRq+oFzaZgq7lR3gpzKkVXGR7aljBNWldCpfZvoQKBgQDkNTewvAx6TJ9okmZC
+GzwbhATZ0lqRnlzmuSfzxs91nh9AuaRt4X9Q6pvntYXS0JksRfrXMdnKrXfWSpJX
+8v3FIxtiA9zkpDi+l/GQVSRSNPUACIMX4zCQwys9FnuioM67O/XZ2hcUrnVR/w0j
+kJzCSORqdcR2uD9RP2WvKeDzEQKBgQDFuq825J4ZMyjn/f8Mv64BwOtGpkMD5q4B
+FKC2rwFluBvvJtVj3uWbf3b/GN3Oq6/HzshglKAbGmD8iSo9Y5bVsTVJjPo5LkYz
+kXeDR5gw7ErjCK8GFk5thgG4RJJXNYLdQo5RBfqkzkz1ZSSbGmSF6dbuTEylyfL8
+gHUQvfdddwKBgH10NBVYi5OAI/Ic6VJWHokR3ojQdzGuWWwNRcVh+hKyxoOSiq5N
+VOxqzSJoTBVEz6/jGK7MnOoqysJnZGQtFQ0W66rKbNjU3s0IQqgR5lG7AyTtiQPM
+xZoPcOm4Pmd896k+oT0OA7o+3gghqltu2H6GC+vqqgKJ72T+8SuGXj/BAoGASwyn
+spMluvTjIuMSaplah4ndA2zZ5OIqy3gz5AMa6avu1mAMAKM6zUGdPggHMImT56gC
+AD6JYqApjdDWOoTRXHyteCRNWWTJ+orNLQQArRkS94d1Pz86N3H0tyc30GgcKrU3
+ZWN6lhFDvqTMNx7WZsmx7bMCKK81TkfHpzojaNMCgYB/dk8/7W8MqrahvsV+xw/t
+D32xS19iTNtYfOmqQLG57suVrgP+ChFk2fyRcvdxw5hPZ76ku+R2JzTHZFRDBTpY
+/oTcB4McGElar/C/Ma5iOb6fueP5dLNX+b2Kn5ooYL5xR7l0+pc3RBNG6gK2NqtL
+VipKPVOfuFBH0hyXEUls7w==
-----END PRIVATE KEY-----
diff --git a/jstests/ocsp/lib/mock_ocsp.js b/jstests/ocsp/lib/mock_ocsp.js
index 1cff413b531..1d8691bd26e 100644
--- a/jstests/ocsp/lib/mock_ocsp.js
+++ b/jstests/ocsp/lib/mock_ocsp.js
@@ -17,8 +17,9 @@ class MockOCSPServer {
*
* @param {string} fault_type
* @param {number} next_update_secs
+ * @param {boolean} responder_is_ca
*/
- constructor(fault_type, next_update_secs) {
+ constructor(fault_type, next_update_secs, responder_is_ca = false) {
this.python = "python3";
this.fault_type = fault_type;
@@ -26,10 +27,16 @@ class MockOCSPServer {
this.python = "python.exe";
}
+ if (responder_is_ca) {
+ this.ocsp_cert_file = OCSP_CA_CERT;
+ this.ocsp_cert_key = OCSP_CA_KEY;
+ } else {
+ this.ocsp_cert_file = OCSP_RESPONDER_CERT;
+ this.ocsp_cert_key = OCSP_RESPONDER_KEY;
+ }
+
print("Using python interpreter: " + this.python);
- this.ca_file = OCSP_CA_CERT;
- this.ocsp_cert_file = OCSP_RESPONDER_CERT;
- this.ocsp_cert_key = OCSP_RESPONDER_KEY;
+ this.ca_file = OCSP_CA_PEM;
// The port must be hard coded to match the port of the
// responder in the certificates.
this.port = 8100;
diff --git a/jstests/ocsp/lib/ocsp_helpers.js b/jstests/ocsp/lib/ocsp_helpers.js
index b5aa320518f..9855c9405ad 100644
--- a/jstests/ocsp/lib/ocsp_helpers.js
+++ b/jstests/ocsp/lib/ocsp_helpers.js
@@ -4,7 +4,9 @@
load("jstests/ssl/libs/ssl_helpers.js");
-const OCSP_CA_CERT = "jstests/libs/ocsp/ca_ocsp.pem";
+const OCSP_CA_PEM = "jstests/libs/ocsp/ca_ocsp.pem";
+const OCSP_CA_CERT = "jstests/libs/ocsp/ca_ocsp.crt";
+const OCSP_CA_KEY = "jstests/libs/ocsp/ca_ocsp.key";
const OCSP_SERVER_CERT = "jstests/libs/ocsp/server_ocsp.pem";
const OCSP_CLIENT_CERT = "jstests/libs/ocsp/client_ocsp.pem";
const OCSP_SERVER_MUSTSTAPLE_CERT = "jstests/libs/ocsp/server_ocsp_mustStaple.pem";
@@ -37,7 +39,7 @@ var waitForServer = function(conn) {
host,
'--tls',
'--tlsCAFile',
- OCSP_CA_CERT,
+ OCSP_CA_PEM,
'--tlsCertificateKeyFile',
OCSP_CLIENT_CERT,
'--tlsAllowInvalidCertificates',
diff --git a/jstests/ocsp/ocsp_basic.js b/jstests/ocsp/ocsp_basic.js
index eb784793681..c8a635dace9 100644
--- a/jstests/ocsp/ocsp_basic.js
+++ b/jstests/ocsp/ocsp_basic.js
@@ -9,7 +9,7 @@ load("jstests/ocsp/lib/mock_ocsp.js");
var ocsp_options = {
sslMode: "requireSSL",
sslPEMKeyFile: OCSP_SERVER_CERT,
- sslCAFile: OCSP_CA_CERT,
+ sslCAFile: OCSP_CA_PEM,
sslAllowInvalidHostnames: "",
setParameter: {
"failpoint.disableStapling": "{'mode':'alwaysOn'}",
diff --git a/jstests/ocsp/ocsp_basic_ca_responder.js b/jstests/ocsp/ocsp_basic_ca_responder.js
new file mode 100644
index 00000000000..0a13d0acad7
--- /dev/null
+++ b/jstests/ocsp/ocsp_basic_ca_responder.js
@@ -0,0 +1,52 @@
+// Check that OCSP verification works
+// @tags: [requires_http_client]
+
+load("jstests/ocsp/lib/mock_ocsp.js");
+
+(function() {
+"use strict";
+
+if (determineSSLProvider() === "apple") {
+ return;
+}
+
+clearOCSPCache();
+
+const ocsp_options = {
+ sslMode: "requireSSL",
+ sslPEMKeyFile: OCSP_SERVER_CERT,
+ sslCAFile: OCSP_CA_PEM,
+ sslAllowInvalidHostnames: "",
+ setParameter: {
+ "failpoint.disableStapling": "{'mode':'alwaysOn'}",
+ "ocspEnabled": "true",
+ },
+};
+
+// This is to test what happens when the responder is down,
+// making sure that we soft fail.
+let conn = null;
+
+let mock_ocsp = new MockOCSPServer("", 1, true);
+mock_ocsp.start();
+
+assert.doesNotThrow(() => {
+ conn = MongoRunner.runMongod(ocsp_options);
+});
+
+mock_ocsp.stop();
+mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1, true);
+mock_ocsp.start();
+
+assert.throws(() => {
+ new Mongo(conn.host);
+});
+
+MongoRunner.stopMongod(conn);
+
+// The mongoRunner spawns a new Mongo Object to validate the collections which races
+// with the shutdown logic of the mock_ocsp responder on some platforms. We need this
+// sleep to make sure that the threads don't interfere with each other.
+sleep(1000);
+mock_ocsp.stop();
+}()); \ No newline at end of file
diff --git a/jstests/ocsp/ocsp_connection_type_testing.js b/jstests/ocsp/ocsp_connection_type_testing.js
index b4f7ccae42b..062b25094c8 100644
--- a/jstests/ocsp/ocsp_connection_type_testing.js
+++ b/jstests/ocsp/ocsp_connection_type_testing.js
@@ -24,7 +24,7 @@ MongoRunner.runHangAnalyzer.disable();
const ocsp_options = {
sslMode: "requireSSL",
sslPEMKeyFile: OCSP_SERVER_CERT,
- sslCAFile: OCSP_CA_CERT,
+ sslCAFile: OCSP_CA_PEM,
sslAllowInvalidHostnames: "",
setParameter: {
"ocspEnabled": "true",
diff --git a/jstests/ocsp/ocsp_must_staple.js b/jstests/ocsp/ocsp_must_staple.js
index 229572ec2d1..1cef7d23e3e 100644
--- a/jstests/ocsp/ocsp_must_staple.js
+++ b/jstests/ocsp/ocsp_must_staple.js
@@ -20,7 +20,7 @@ mock_ocsp.start();
let ocsp_options = {
sslMode: "requireSSL",
sslPEMKeyFile: OCSP_SERVER_MUSTSTAPLE_CERT,
- sslCAFile: OCSP_CA_CERT,
+ sslCAFile: OCSP_CA_PEM,
sslAllowInvalidHostnames: "",
setParameter: {
"ocspEnabled": "true",
diff --git a/jstests/ocsp/ocsp_server_refresh.js b/jstests/ocsp/ocsp_server_refresh.js
index b3fa01c959a..699f6e397f2 100644
--- a/jstests/ocsp/ocsp_server_refresh.js
+++ b/jstests/ocsp/ocsp_server_refresh.js
@@ -20,7 +20,7 @@ mock_ocsp.start();
const ocsp_options = {
sslMode: "requireSSL",
sslPEMKeyFile: OCSP_SERVER_CERT,
- sslCAFile: OCSP_CA_CERT,
+ sslCAFile: OCSP_CA_PEM,
sslAllowInvalidHostnames: "",
setParameter: {
"ocspEnabled": "true",
diff --git a/jstests/ocsp/ocsp_stapling.js b/jstests/ocsp/ocsp_stapling.js
index 707c90f05f0..02671770fb6 100644
--- a/jstests/ocsp/ocsp_stapling.js
+++ b/jstests/ocsp/ocsp_stapling.js
@@ -6,7 +6,7 @@ load("jstests/ocsp/lib/mock_ocsp.js");
(function() {
"use strict";
-if (determineSSLProvider() != "openssl") {
+if (determineSSLProvider() !== "openssl") {
return;
}
@@ -14,73 +14,78 @@ if (!supportsStapling()) {
return;
}
-const ocsp_options = {
- sslMode: "requireSSL",
- sslPEMKeyFile: OCSP_SERVER_CERT,
- sslCAFile: OCSP_CA_CERT,
- sslAllowInvalidHostnames: "",
- setParameter: {
- "ocspEnabled": "true",
- },
-};
-
-// This is to test what happens when the responder is down,
-// making sure that we soft fail.
-let conn = null;
-
-assert.doesNotThrow(() => {
- conn = MongoRunner.runMongod(ocsp_options);
-});
-
-MongoRunner.stopMongod(conn);
-
-let mock_ocsp = new MockOCSPServer("", 1000);
-mock_ocsp.start();
-
-// In this scenario, the Mongod has the ocsp response stapled
-// which should allow the connection to proceed. Even when the
-// responder says that the certificate is revoked, the mongod
-// should still have the old response stashed and doesn't have
-// to refresh the response, so the shell should connect.
-assert.doesNotThrow(() => {
+var test = function(responderCA) {
+ const ocsp_options = {
+ sslMode: "requireSSL",
+ sslPEMKeyFile: OCSP_SERVER_CERT,
+ sslCAFile: OCSP_CA_PEM,
+ sslAllowInvalidHostnames: "",
+ setParameter: {
+ "ocspEnabled": "true",
+ },
+ };
+
+ // This is to test what happens when the responder is down,
+ // making sure that we soft fail.
+ let conn = null;
+
+ assert.doesNotThrow(() => {
+ conn = MongoRunner.runMongod(ocsp_options);
+ });
+
+ MongoRunner.stopMongod(conn);
+
+ let mock_ocsp = new MockOCSPServer("", 1000, responderCA);
+ mock_ocsp.start();
+
+ // In this scenario, the Mongod has the ocsp response stapled
+ // which should allow the connection to proceed. Even when the
+ // responder says that the certificate is revoked, the mongod
+ // should still have the old response stashed and doesn't have
+ // to refresh the response, so the shell should connect.
+ assert.doesNotThrow(() => {
+ conn = MongoRunner.runMongod(ocsp_options);
+ });
+ mock_ocsp.stop();
+
+ mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1000, responderCA);
+ mock_ocsp.start();
+ assert.doesNotThrow(() => {
+ new Mongo(conn.host);
+ });
+
+ MongoRunner.stopMongod(conn);
+
+ // This is the same scenario as above, except that the mongod has
+ // the status saying that the certificate is revoked. If we have a shell
+ // waiting to connect, it will fail because the certificate status of
+ // the mongod's cert is revoked.
+ Object.extend(ocsp_options, {waitForConnect: false});
conn = MongoRunner.runMongod(ocsp_options);
-});
-mock_ocsp.stop();
-
-mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1000);
-mock_ocsp.start();
-assert.doesNotThrow(() => {
- new Mongo(conn.host);
-});
-MongoRunner.stopMongod(conn);
+ waitForServer(conn);
-// This is the same scenario as above, except that the mongod has
-// the status saying that the certificate is revoked. If we have a shell
-// waiting to connect, it will fail because the certificate status of
-// the mongod's cert is revoked.
-Object.extend(ocsp_options, {waitForConnect: false});
-conn = MongoRunner.runMongod(ocsp_options);
+ assert.throws(() => {
+ new Mongo(conn.host);
+ });
+ mock_ocsp.stop();
-waitForServer(conn);
+ mock_ocsp = new MockOCSPServer("", 1000, responderCA);
+ mock_ocsp.start();
-assert.throws(() => {
- new Mongo(conn.host);
-});
-mock_ocsp.stop();
+ assert.throws(() => {
+ new Mongo(conn.host);
+ });
-mock_ocsp = new MockOCSPServer("", 1000);
-mock_ocsp.start();
+ MongoRunner.stopMongod(conn);
-assert.throws(() => {
- new Mongo(conn.host);
-});
-
-MongoRunner.stopMongod(conn);
+ // The mongoRunner spawns a new Mongo Object to validate the collections which races
+ // with the shutdown logic of the mock_ocsp responder on some platforms. We need this
+ // sleep to make sure that the threads don't interfere with each other.
+ sleep(1000);
+ mock_ocsp.stop();
+};
-// The mongoRunner spawns a new Mongo Object to validate the collections which races
-// with the shutdown logic of the mock_ocsp responder on some platforms. We need this
-// sleep to make sure that the threads don't interfere with each other.
-sleep(1000);
-mock_ocsp.stop();
+test(false);
+test(true);
}()); \ No newline at end of file
diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml
index f51f7cee79f..ff36cd9d6ad 100644
--- a/jstests/ssl/x509/certs.yml
+++ b/jstests/ssl/x509/certs.yml
@@ -335,6 +335,8 @@ certs:
Issuer: self
include_header: false
output_path: 'jstests/libs/ocsp/'
+ keyfile: 'ca_ocsp.key'
+ crtfile: 'ca_ocsp.crt'
extensions:
basicConstraints:
critical: true
@@ -425,7 +427,7 @@ certs:
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [clientAuth]
-- name: 'ocsp_responder.crt'
+- name: 'ocsp_responder.pem'
description: Certificate and key for the OCSP responder
Subject:
CN: 'localhost'
@@ -435,6 +437,7 @@ certs:
Issuer: 'ca_ocsp.pem'
include_header: false
keyfile: 'ocsp_responder.key'
+ crtfile: 'ocsp_responder.crt'
output_path: 'jstests/libs/ocsp/'
extensions:
basicConstraints: {CA: false}
diff --git a/jstests/ssl/x509/mkcert.py b/jstests/ssl/x509/mkcert.py
index a33767efd64..f983967c407 100755
--- a/jstests/ssl/x509/mkcert.py
+++ b/jstests/ssl/x509/mkcert.py
@@ -422,11 +422,21 @@ def create_cert(cert):
cipher = 'aes256'
header = get_header_comment(cert)
+
+ if bool(cert.get('keyfile', False)) != bool(cert.get('crtfile', False)):
+ raise ValueError("Either include both keyfile and crtfile or neither")
+
# The OCSP responder certificate needs to have the key and the pem file separated.
- if cert.get('keyfile', False):
+ # Since there are only a few cases where we need split key and crt files, and since we
+ # sometimes need the unified pem file as well, we can always generate the pem file.
+ if cert.get('keyfile', False) and cert.get('crtfile', False):
keyfile = cert['keyfile']
+ crtfile = cert['crtfile']
+
key_path_dict = {'output_path': cert['output_path'], 'name': keyfile}
- open(make_filename(cert), 'wt').write(
+ crt_path_dict = {'output_path': cert['output_path'], 'name': crtfile}
+
+ open(make_filename(crt_path_dict), 'wt').write(
header +
OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509).decode('ascii'))
@@ -434,12 +444,10 @@ def create_cert(cert):
header +
OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key, cipher=cipher, passphrase=passphrase).decode('ascii'))
- else:
- # OCSP certificates cannot have comments because the Mock OCSP responder cannot process comments in Certificates
- open(make_filename(cert), 'wt').write(
- header +
- OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509).decode('ascii') +
- OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key, cipher=cipher, passphrase=passphrase).decode('ascii'))
+ open(make_filename(cert), 'wt').write(
+ header +
+ OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509).decode('ascii') +
+ OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key, cipher=cipher, passphrase=passphrase).decode('ascii'))
if cert.get('pkcs1'):
convert_cert_to_pkcs1(cert)
@@ -594,7 +602,7 @@ def validate_config():
if not CONFIG.get('certs'):
raise ValueError('No certificates defined')
- permissible = ['name', 'description', 'Subject', 'Issuer', 'append_cert', 'extensions', 'passphrase', 'output_path', 'hash', 'include_header', 'key_type', 'keyfile', 'explicit_subject', 'serial', 'not_before', 'not_after', 'pkcs1', 'pkcs12', 'version']
+ permissible = ['name', 'description', 'Subject', 'Issuer', 'append_cert', 'extensions', 'passphrase', 'output_path', 'hash', 'include_header', 'key_type', 'keyfile', 'crtfile', 'explicit_subject', 'serial', 'not_before', 'not_after', 'pkcs1', 'pkcs12', 'version']
for cert in CONFIG.get('certs', []):
keys = cert.keys()
if not 'name' in keys:
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 22f4170bd92..91b5a7341f0 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -97,6 +97,22 @@ using UniqueX509StoreCtx =
using UniqueX509 = std::unique_ptr<X509, OpenSSLDeleter<decltype(X509_free), ::X509_free>>;
+// This deleter should be used when you have a stack of X509 objects that you own and that
+// needs to be deleted.
+struct X509StackDeleter {
+ void operator()(STACK_OF(X509) * chain) {
+ if (chain) {
+ sk_X509_pop_free(chain, X509_free);
+ }
+ }
+};
+
+// If we have an X509 Stack that is owned by an internal SSL Object, we need to use this
+// deleter.
+struct X509StackDeleterNoOp {
+ void operator()(STACK_OF(X509) * chain) {}
+};
+
// Modulus for Diffie-Hellman parameter 'ffdhe3072' defined in RFC 7919
constexpr std::array<std::uint8_t, 384> ffdhe3072_p = {
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
@@ -287,15 +303,7 @@ X509* X509_OBJECT_get0_X509(const X509_OBJECT* a) {
return a->data.x509;
}
-// On OpenSSL < 1.1.0, this chain isn't attached to
-// the SSL session, so we need it to dispose of itself.
-struct VerifiedChainDeleter {
- void operator()(STACK_OF(X509) * chain) {
- if (chain) {
- sk_X509_pop_free(chain, X509_free);
- }
- }
-};
+using UniqueVerifiedChainPolyfill = std::unique_ptr<STACK_OF(X509), X509StackDeleter>;
STACK_OF(X509) * SSL_get0_verified_chain(SSL* s) {
auto* store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s));
@@ -348,13 +356,10 @@ static int const NID_tlsfeature = OBJ_create(tlsFeatureOID.identifier.c_str(),
tlsFeatureOID.longDescription.c_str());
#else
-// No-op deleter for OpenSSL >= 1.1.0
-struct VerifiedChainDeleter {
- void operator()(STACK_OF(X509) * chain) {}
-};
+using UniqueVerifiedChainPolyfill = std::unique_ptr<STACK_OF(X509), X509StackDeleterNoOp>;
+
#endif
-using UniqueVerifiedChainPolyfill = std::unique_ptr<STACK_OF(X509), VerifiedChainDeleter>;
UniqueVerifiedChainPolyfill SSLgetVerifiedChain(SSL* s) {
return UniqueVerifiedChainPolyfill(SSL_get0_verified_chain(s));
}
@@ -1674,6 +1679,8 @@ Future<void> SSLManagerOpenSSL::ocspClientVerification(SSL* ssl, const ExecutorP
return convert(std::move(semifuture)).onCompletion(validate).then(refetchIfInvalidAndReturn);
}
+using StoreCtxVerifiedChain = std::unique_ptr<STACK_OF(X509), X509StackDeleter>;
+
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
Status SSLManagerOpenSSL::stapleOCSPResponse(SSL_CTX* context) {
if (MONGO_unlikely(disableStapling.shouldFail()) || !tlsOCSPEnabled) {
@@ -1693,14 +1700,26 @@ Status SSLManagerOpenSSL::stapleOCSPResponse(SSL_CTX* context) {
}
auto fetchAndStaple = [context, cert]() -> Future<Milliseconds> {
- STACK_OF(X509) * intermediateCertsPtr;
+ // Generate a new verified X509StoreContext to get our own certificate chain
+ UniqueX509StoreCtx storeCtx(X509_STORE_CTX_new());
+ if (!storeCtx) {
+ return getSSLFailure("Could not create X509 store.");
+ }
+
+ if (X509_STORE_CTX_init(storeCtx.get(), SSL_CTX_get_cert_store(context), NULL, NULL) == 0) {
+ return getSSLFailure("Could not initialize the X509 Store Context.");
+ }
+
+ X509_STORE_CTX_set_cert(storeCtx.get(), cert);
- if (SSL_CTX_get0_chain_certs(context, &intermediateCertsPtr) == 0) {
- return getSSLFailure("Could not get chain for SSL Context.");
+ if (X509_verify_cert(storeCtx.get()) <= 0) {
+ return getSSLFailure("Could not verify X509 certificate store for OCSP Stapling.");
}
- UniqueVerifiedChainPolyfill intermediateCerts(intermediateCertsPtr);
+ // Extract the chain from the verified X509StoreCtx
+ StoreCtxVerifiedChain intermediateCerts(X509_STORE_CTX_get1_chain(storeCtx.get()));
+ // Continue with OCSP Stapling logic
auto swOCSPContext = extractOcspUris(context, cert, intermediateCerts.get());
if (!swOCSPContext.isOK()) {
LOGV2_WARNING(23232, "Could not staple OCSP response to outgoing certificate.");
View Lorry Controller Status