In testing my OCSP responder configuration I've found that the following openssl command: openssl ocsp -issuer client_cer_root.cer -cert client.cer -VAfile ocsp_signer.cer -url http://ocsp.responder.net/ocsp returns: Response verify OK client.cer: good This Update: Oct 31 11:43:47 2019 GMT Next Update: Nov 2 00:03:47 2019 GMT I see that there is a client keyword in the verify section of the eap configuration file. I'm wondering if I can I substitute this command for the default openssl verify command prototyped in the file? In my testing, it looks like openssl returns exit 0 for both verified and responder errors, so I'm wondering how freeradius parses the result of the command. From: Mike DiBella Sent: Wednesday, October 30, 2019 3:08 PM To: 'freeradius-users@lists.freeradius.org' <freeradius-users@lists.freeradius.org> Subject: OCSP Response Signed by other CA I'm attempting to add OCSP certificate verification to EAP, but my responder hosts multiple CAs and signs the responses with a cert common to all. I think freeradius is assuming that the signer of the OCSP response will be the same as the signer of the client certificate, and I can't see an option to override this behavior. I've already tried concatenating the OCSP signer to the client trust certificate file, but freeradius still fails validation with "Error: rlm_eap: SSL error error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted". Any ideas?