Hi there!

I would like to know how I can get the issuer certificate to initialize my CertificateID. What I am trying to do is to verify the certificate using ocsp on an email server. Here I do not have the issuer certificate. Would I be able to instantiate a issuer certificate form the certificate I have in the email? Because otherwise the ocsp would not make much sense if I need to have a repository of issuer certificates.


....
CertificateID id = new CertificateID(CertificateID.HASH_SHA1, issuerCert, certificate.getSerialNumber());
OCSPReqGenerator oscpGenerator = new OCSPReqGenerator();
oscpGenerator.addRequest(id);
....


i.) Where can I get the issuerCert (X509Certificate) from, i.e. at run-time, if I don't have it stored and also do not have an url to fetch it?

I will be very greatful for your help!

Unfortunately you need the issuer certificate, or at least some parts of it to get OCSP to work. You can see problem if you look at the ASN.1 structure for CertID:

CertID ::= SEQUENCE {
       hashAlgorithm AlgorithmIdentifier,
       issuerNameHash OCTET STRING, -- Hash of Issuer's DN
       issuerKeyHash OCTET STRING, -- Hash of Issuers public key
       serialNumber CertificateSerialNumber }

It requires the issuer DN and the hash of the issuer's public key. A better question to ask is how will you verify the signature on the end entity certificate if you don't have the issuer certificate? If you cannot do that there's no point in using OCSP as well.

Regards,

David

Thank you so very much. You have completely clarified my query. With best regards, Mark :-)