diff --git a/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java b/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java
index 961b6afc895..80ab4419a2a 100644
--- a/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java
@@ -107,6 +107,7 @@
 import com.netscape.certsrv.ca.ECAException;
 import com.netscape.certsrv.ca.IssuerUnavailableException;
 import com.netscape.certsrv.cert.CertEnrollmentRequest;
+import com.netscape.certsrv.dbs.EDBRecordNotFoundException;
 import com.netscape.certsrv.dbs.certdb.CertId;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.logging.event.CRLSigningInfoEvent;
@@ -1557,25 +1558,27 @@ public OCSPResponse validate(OCSPRequest request)
          *    Otherwise, we move forward to generate and sign the
          *    aggregate OCSP response.
          */
-        CertificateAuthority ocspCA = this;
-        if (engine.getCAs().size() > 0 && tbsReq.getRequestCount() > 0) {
+        for (CertificateAuthority ocspCA: engine.getCAs()) {
             Request req = tbsReq.getRequestAt(0);
-            BigInteger serialNo = req.getCertID().getSerialNumber();
-
-            try {
-                CertificateRepository certificateRepository = engine.getCertificateRepository();
-                X509CertImpl cert = certificateRepository.getX509Certificate(serialNo);
-
-                X500Name certIssuerDN = (X500Name) cert.getIssuerDN();
-                ocspCA = engine.getCA(certIssuerDN);
-            } catch (EBaseException e) {
-                // If we don't know the issuer allow this CA to validate
-                // and report the CertStatus as Unknown
+            CertID cid = req.getCertID();
+            byte[] nameHash = null;
+            String digestName = cid.getDigestName();
+            if (digestName != null) {
+                try {
+                    MessageDigest md = MessageDigest.getInstance(digestName);
+                    nameHash = md.digest(ocspCA.getSubjectObj().getX500Name().getEncoded());
+                } catch (NoSuchAlgorithmException | IOException e) {
+                    logger.info("CertificateAuthority: OCSP request hash algorithm " + digestName + " not recognised - ");
+                }
+            }
+            if(Arrays.equals(nameHash, cid.getIssuerNameHash().toByteArray())) {
+                if(ocspCA != this) {
+                    return ((IOCSPService) ocspCA).validate(request);
+                }
+                break;
             }
         }
 
-        if (ocspCA != this)
-            return ((IOCSPService) ocspCA).validate(request);
 
         logger.debug("CertificateAuthority: validating OCSP request");
 
@@ -1734,11 +1737,14 @@ private BasicOCSPResponse sign(ResponseData rd) throws EBaseException {
         }
     }
 
-    private SingleResponse processRequest(Request req) {
+    public SingleResponse processRequest(Request req) {
 
         CAEngine engine = CAEngine.getInstance();
         CertificateRepository certificateRepository = engine.getCertificateRepository();
 
+        X509CertImpl caCert = mSigningUnit.getCertImpl();
+        X509Key key = (X509Key) caCert.getPublicKey();
+
         CertID cid = req.getCertID();
         INTEGER serialNo = cid.getSerialNumber();
         logger.debug("CertificateAuthority: processing request for cert 0x" + serialNo.toString(16));
@@ -1747,15 +1753,18 @@ private SingleResponse processRequest(Request req) {
         GeneralizedTime thisUpdate = new GeneralizedTime(new Date());
 
         byte[] nameHash = null;
+        byte[] keyHash = null;
         String digestName = cid.getDigestName();
         if (digestName != null) {
             try {
                 MessageDigest md = MessageDigest.getInstance(digestName);
                 nameHash = md.digest(mName.getEncoded());
+                keyHash = md.digest(key.getKey());
             } catch (NoSuchAlgorithmException | IOException e) {
             }
         }
-        if (!Arrays.equals(cid.getIssuerNameHash().toByteArray(), nameHash)) {
+        if (!Arrays.equals(cid.getIssuerNameHash().toByteArray(), nameHash) ||
+                !Arrays.equals(cid.getIssuerKeyHash().toByteArray(), keyHash)) {
             // issuer of cert is not this CA (or we couldn't work
             // out whether it is or not due to unknown hash alg);
             // do not return status information for this cert
@@ -1834,9 +1843,12 @@ private SingleResponse processRequest(Request req) {
             } else {
                 certStatus = new UnknownInfo();
             }
-        } catch (Exception e) {
+        } catch (EDBRecordNotFoundException e) {
             // not found
-            certStatus = new UnknownInfo(); // not issued not all
+            certStatus = new GoodInfo(); // not issued not all
+        } catch (EBaseException e) {
+            // internal error
+            certStatus = new UnknownInfo();
         }
 
         return new SingleResponse(