s now :-)
> When I use "extendedKeyUsage = OCSP Signing, OCSP No Check"
> OpenSSL generates:
>
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> X509v3 Extended Key Usage:
> OCSP Signing,
sions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
OCSP Signing, id-pkix-ocsp-nocheck
So I thought this was where it goes. I also know of at least one other pki
implementation that makes this mistake.
Thanks for clearing up how
On Tue, Nov 07, 2006, Simon McMahon wrote:
> Found it: extendedKeyUsage = OCSP Signing, OCSP No Check
> does the trick.
>
Err no it doesn't it isn't part of EKU.
> The RFC doesn't exactly make this clear that 'nocheck' is a part of
> ExtendedKeyUsage but I guess that is not OpenSSL's prob
Found it: extendedKeyUsage = OCSP Signing, OCSP No Check
does the trick.
The RFC doesn't exactly make this clear that 'nocheck' is a part of
ExtendedKeyUsage but I guess that is not OpenSSL's problem.
Thanks.
__
OpenSSL Pr
Hi,
>From rfc 2560:
- A CA may specify that an OCSP client can trust a responder for the
lifetime of the responder's certificate. The CA does so by including
the extension id-pkix-ocsp-nocheck. This SHOULD be a non-critical
extension. The value of the extension should be NUL
