On Tue, Mar 23, 2010, Konrads Smelkovs wrote: > Hi, > The OCSP responder has EKU=OCSP: > > X509v3 extensions: > X509v3 Subject Key Identifier: > 2B:6E:08:08:9D:92:5A:59:CB:BB:46:89:77:E8:A0:17:47:82:88:5C > X509v3 Extended Key Usage: > OCSP > X509v3 Key Usage: > Digital Signature, Non Repudiation > X509v3 Authority Key Identifier: > > keyid:CC:C3:F5:66:FF:73:AC:38:5A:96:1B:21:89:B8:81:4C:1F:CB:5E:25 > I attached OCSP cert. I believe this is setup #2 you described.
It also has to be signed by the same CAs as the certificates it covers, a CA certificate higher up the chain is not permitted in that case. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
