diff --git a/changelog/28450.txt b/changelog/28450.txt
new file mode 100644
index 000000000000..38f27478e854
--- /dev/null
+++ b/changelog/28450.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/cert: During certificate validation, OCSP requests are debug logged even if Vault's log level is above DEBUG.
+```
\ No newline at end of file
diff --git a/sdk/helper/ocsp/client.go b/sdk/helper/ocsp/client.go
index 872ca717da5e..888d2025176b 100644
--- a/sdk/helper/ocsp/client.go
+++ b/sdk/helper/ocsp/client.go
@@ -612,6 +612,7 @@ func (c *Client) GetRevocationStatus(ctx context.Context, subject, issuer *x509.
 		timeout := defaultOCSPResponderTimeout
 
 		ocspClient := retryablehttp.NewClient()
+		ocspClient.Logger = c.Logger()
 		ocspClient.RetryMax = conf.OcspMaxRetries
 		ocspClient.HTTPClient.Timeout = timeout
 		ocspClient.HTTPClient.Transport = newInsecureOcspTransport(conf.ExtraCas)
diff --git a/sdk/helper/ocsp/ocsp_test.go b/sdk/helper/ocsp/ocsp_test.go
index 063756d28cae..fcd868e2d613 100644
--- a/sdk/helper/ocsp/ocsp_test.go
+++ b/sdk/helper/ocsp/ocsp_test.go
@@ -50,15 +50,16 @@ func TestOCSP(t *testing.T) {
 	for _, tgt := range targetURL {
 		c.ocspResponseCache, _ = lru.New2Q(10)
 		for _, tr := range transports {
-			c := &http.Client{
-				Transport: tr,
-				Timeout:   30 * time.Second,
-			}
-			req, err := http.NewRequest("GET", tgt, bytes.NewReader(nil))
+			ocspClient := retryablehttp.NewClient()
+			ocspClient.Logger = c.Logger()
+			ocspClient.RetryMax = conf.OcspMaxRetries
+			ocspClient.HTTPClient.Timeout = 30 * time.Second
+			ocspClient.HTTPClient.Transport = tr
+			req, err := retryablehttp.NewRequest("GET", tgt, bytes.NewReader(nil))
 			if err != nil {
 				t.Fatalf("fail to create a request. err: %v", err)
 			}
-			res, err := c.Do(req)
+			res, err := ocspClient.Do(req)
 			if err != nil {
 				t.Fatalf("failed to GET contents. err: %v", err)
 			}