From db966ebee6e19418baa7a5f838e65580c5412f03 Mon Sep 17 00:00:00 2001
From: Chris Kelley <ckelley@redhat.com>
Date: Wed, 12 Jul 2023 22:19:08 +0100
Subject: [PATCH] For unknown certificates OCSP should have unknown CertStatus

---
 base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
index 5485e888df5..f77ef239a62 100644
--- a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
+++ b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
@@ -415,7 +415,9 @@ public SingleResponse processRequest(Request req) throws Exception {
         }
 
         if (theCert == null) {
-            throw new Exception("Issuer certificate not found/served");
+            logger.info("Missing issuer certificate");
+            // Unknown cert so respond with unknown state
+            return new SingleResponse(cid, new UnknownInfo(), new GeneralizedTime(new Date()), null);
         }
 
         if (theCRL == null) {