PDF Reader revocation tab doesn't show OCSP response

Question

why PDF Reader doesn’t show the embedded OCSP Response?

I haven't even used crlClient:

MakeSignature.signDetached(sap, new BouncyCastleDigest(), es, chain, null, ocspClient, tsClient, 0, MakeSignature.CryptoStandard.CMS);
// chain[0] - signer certificate
// chain[1] - OperCA certificate (signer's issuer)
// chain[2] - RootCA (OperCA's issuer)

PDF revocation tab details shows:

The selected certificate is considered valid because it does not appear in the Certificate Revocation List (CRL) that is contained in the local cache.

The CRL was signed by "B-Trust Operational CA QES <[hidden email]>" on 2014/02/19 07:53:35 +02'00' and is valid until 2014/03/21 07:53:35 +02'00'.

I want to achieve the Figure 3.8 A digital signature with an embedded OCSP response, from Bruno Lowagie's free White Paper document.

What do I do wrong or miss?

Here is the Certification path and sample pdf.

Best Regards, Valentino

Answer 1

The actual issue is that even when PDF has embedded only OCSP response, Acrobat Reader doesn't show it, but shows local CRL instead.

This is caused of non-conforming, to RFC6960 or RFC2560, OCSP certificate.

Wrong OCSP certificate path:

Root CA -> Operational CA -> Client certificates (certificates checked with OCSP)
Root CA -> OCSP

Right OCSP certification path:

Root CA -> Operational CA -> Client certificates (certificates checked with OCSP)
           Operational CA -> OCSP