Create dual-stack OCSP chains #9
Description
Further to #8, I'm very confused as to how to create valid OCSP certificate chains for dual stack (ECC + RSA) certificates. This comes up in things like nginx, where we can say:
ssl_certificate /etc/ssl/example.com.combined.crt;
ssl_certificate_key /etc/ssl/example.com.key;
ssl_certificate /etc/ssl/example.com-ecc.combined.crt;
ssl_certificate_key /etc/ssl/example.com-ecc.key;
ssl_trusted_certificate /etc/ssl/cert-bundle-rsa-ecc.crt;
so we have multiple certificates, but only a single opportunity to specify a trusted cert chain to use for OCSP. I don't know exactly how this should be formatted since it needs to contain 2 or more intermediate -> root chains, i.e. I don't know whether it should contain:
- intermediate1
- root1
- intermediate2
- root2
or
- intermediate1
- intermediate2
- root1
- root2
or, if they need to share a root (some ECC certs are signed using an RSA root):
- intermediate1
- intermediate2
- root
So it would be very useful if sslmerge could help get this right.
(and yes, it is dumb that openssl can't figure out the cert order itself by matching IDs)