I want to verify X.509 Certificates (if they were revoked) using the OCSP Protocol and Java/Kotlin.

As this is a non trivial task I use Java Security together with the Bouncy Castle Crypto lib.

When I run the validation a error is thrown indicating that the certificate which comes back as response from the OCSP Responder is not valid. The problem seems to be that the value for DigitalSignature keyUsage within the certificate is set to false but true is expected.

I try to find evidence of this is a requirement according to RFC. But I did Not found anything about this.

Can you help me with this? Is this implementation correct / the OCSP Response invalid?

More Resources: X.509 Certificate / Key Usage: .2.1.3 OCSP: .1 Bouncy Castle:

Kotlin Source code:

/* validate a given cert against the OCSP Responder */
fun checkOCSPStatus(cert: X509Certificate) {
    // 1. load the java keystore that contains all issuer certs 
    val keystoreFile= File("<Filepath to keystore file>")
    val keystorePassword = "<secret>"
    val keystore = KeyStore.getInstance("JKS")
    FileInputStream(keystoreFile).use { fis ->
      keystore.load(fis, keystorePassword.toCharArray())
    }

    // 2. configure to use OCSP check
    Security.setProperty("ocsp.enable", "true")
    Security.setProperty("ocsp.responderURL", "<OCSP Responder URL>")
    val pkixParams = PKIXParameters(keystore)
    pkixParams.isRevocationEnabled = true

    // 3. validate the cert
    val cf = CertificateFactory.getInstance("X.509")
    val certPath = cf.generateCertPath(listOf(cert))
    val validator = CertPathValidator.getInstance("PKIX")
    validator.validate(certPath, pkixParams) // this line throws java.security.InvalidKeyException: Wrong key usage
}