I'm working on adding OCSP stapling to my server application. It was decided that the application itself won't query the OCSP responder, but rather another process that will periodically fetch an updated response and write it into a local database. However, the database has issues storing the certificate in DER format.

My question is if much like with X509 certificates, is DER to PEM a valid conversion (and then back to DER in order to staple it), or do we need to find some alternative way to store the response in the database (e.g. base64)?

Edit: Expanding the question based on Crypt32's input: can I perform this conversion using OpenSSL's C API? As far as I can tell there's support for that only with X509 objects, but I can't convert an OCSP response DER to X509 in order to do this conversion.

CodePudding user response：

You always can manually convert binary DER to Base64-encoded string to store in database. It is up to you how you will store the data as long as you can get a binary copy of stored data when pure binary data is required (i.e. in OCSP stapling). That is, when receive binary data, convert it to Base64 string and save in database as text. When you need to read this data, read Bas64 string from database and convert back to byte array and pass this array to target application.