diff --git a/src/internal.c b/src/internal.c
index ce5f1326d..7c7ef3774 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -4846,7 +4846,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
 
             InitOcspResponse(response, status, input +*inOutIdx, status_length);
 
-            if ((ret = OcspResponseDecode(response)) == 0) {
+            if ((ret = OcspResponseDecode(response, ssl->ctx->cm)) == 0) {
                 if (response->responseStatus != OCSP_SUCCESSFUL)
                     ret = BAD_CERTIFICATE_STATUS_ERROR;
                 else if (CompareOcspReqResp(request, response) != 0)
diff --git a/src/ocsp.c b/src/ocsp.c
index aa1a97252..567a67de8 100644
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -294,7 +294,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest)
         XMEMSET(newStatus, 0, sizeof(CertStatus));
 
         InitOcspResponse(ocspResponse, newStatus, response, ret);
-        OcspResponseDecode(ocspResponse);
+        OcspResponseDecode(ocspResponse, ocsp->cm);
 
         if (ocspResponse->responseStatus != OCSP_SUCCESSFUL)
             ret = OCSP_LOOKUP_FAIL;
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 57a5c38af..90e9e19b6 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -8645,12 +8645,13 @@ static int DecodeCerts(byte* source,
     return 0;
 }
 
-static int DecodeBasicOcspResponse(byte* source,
-                            word32* ioIndex, OcspResponse* resp, word32 size)
+static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
+                                      OcspResponse* resp, word32 size, void* cm)
 {
     int length;
     word32 idx = *ioIndex;
     word32 end_index;
+    int ret;
 
     WOLFSSL_ENTER("DecodeBasicOcspResponse");
 
@@ -8686,13 +8687,12 @@ static int DecodeBasicOcspResponse(byte* source,
     if (idx < end_index)
     {
         DecodedCert cert;
-        int ret;
 
         if (DecodeCerts(source, &idx, resp, size) < 0)
             return ASN_PARSE_E;
 
         InitDecodedCert(&cert, resp->cert, resp->certSz, 0);
-        ret = ParseCertRelative(&cert, CA_TYPE, NO_VERIFY, 0);
+        ret = ParseCertRelative(&cert, CERT_TYPE, VERIFY, cm);
         if (ret < 0)
             return ret;
 
@@ -8707,6 +8707,20 @@ static int DecodeBasicOcspResponse(byte* source,
             return ASN_OCSP_CONFIRM_E;
         }
     }
+    else {
+        Signer* ca = GetCA(cm, resp->issuerHash);
+
+        if (ca)
+            ret = ConfirmSignature(resp->response, resp->responseSz,
+                                   ca->publicKey, ca->pubKeySize, ca->keyOID,
+                                   resp->sig, resp->sigSz, resp->sigOID, NULL);
+
+        if (!ca || ret == 0)
+        {
+            WOLFSSL_MSG("\tOCSP Confirm signature failed");
+            return ASN_OCSP_CONFIRM_E;
+        }
+    }
 
     *ioIndex = idx;
     return 0;
@@ -8735,7 +8749,7 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status,
 }
 
 
-int OcspResponseDecode(OcspResponse* resp)
+int OcspResponseDecode(OcspResponse* resp, void* cm)
 {
     int length = 0;
     word32 idx = 0;
@@ -8779,7 +8793,7 @@ int OcspResponseDecode(OcspResponse* resp)
     if (GetLength(source, &idx, &length, size) < 0)
         return ASN_PARSE_E;
 
-    if (DecodeBasicOcspResponse(source, &idx, resp, size) < 0)
+    if (DecodeBasicOcspResponse(source, &idx, resp, size, cm) < 0)
         return ASN_PARSE_E;
 
     return 0;
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index 76832d9a6..b1a132514 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -720,7 +720,7 @@ struct OcspRequest {
 
 
 WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32);
-WOLFSSL_LOCAL int  OcspResponseDecode(OcspResponse*);
+WOLFSSL_LOCAL int  OcspResponseDecode(OcspResponse*, void*);
 
 WOLFSSL_LOCAL int    InitOcspRequest(OcspRequest*, DecodedCert*, byte);
 WOLFSSL_LOCAL void   FreeOcspRequest(OcspRequest*);