Just on the off-chance, anyone know of an example of an otherwise-normal public x509 certificate that doesn't have an OCSP responder URI in it? I'd construct one myself, but (a) I'm not sure I can face slogging through writing yet more openssl commands, and (b) I'd like to have one that I didn't create, so I can use it to test something I did create. Don't test your own assumptions against your own assumptions, kids.

Reason: I have a bunch of stuff that manages my web front-end and ensures every HTTPS response has a stapled OCSP response. With Let's Encrypt (and presumably later others) deprecating OCSP and about to stop serving it entirely within a few months, I want to make my management scripts able to recognise OCSP-less certificates and not (a) wasting their time trying to get responses from them, and (b) marking them unusable due to not having a valid OCSP response to staple.

Thank you. :>