I made an error. I didn't actually add OCSPSigning extended key usage to the
OCSP responder cert.
My attempt(which I found at the mailing list archive) was bad:
openssl x509 -in 03.crt -inform PEM -addtrust OCSPSigning -out
ocsp_resp_cert.pem
"-addtrust" is another command for another purposes.
To add OCSPSigning extended key usage to the OCSP responder cert we must use "-extension" option during signing
certificate request.
OCSP verification works now. The problem is closed.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
