I have a server that supports multiple CA chains. The old CA neither has CRL enabled, nor “Authority Information Access”(AIA) certificate extension in the issued certificates. The new chain has both enabled.
When I tried to enable CRL or OCSP check, I found that it broke the SSL verification for the old CA chain. There is no way to enable CRL/OCSP for only the new CA chain.
When the NGINX option "ssl_ocsp" is enabled(with "on" or "leaf"), the cert OCSP responder URL is picked up from the “Authority Information Access”(AIA) certificate extension. For the certs issued by an old chain, since the “Authority Information Access”(AIA) is missing in the cert, the verification fails with "FAILED:certificate status request failed". Based on the code, the "ssl_ocsp_responder" option also requires AIA.
The same behavior exists with "ssl_crl". When enabled, it requires CRL for all the CA chains. It cannot be enabled for new CA chains only.
For both "ssl_ocsp" and "ssl_crl", it would be great to have the option to say "use OCSP if the certificate has AIA and ignore otherwise" or "check CRL if it is available for a given CA chain, otherwise ignore".