➢ Thanks for the clarification. Per the spec, then, a certificate designated to sign OCSP responses is required to have the ocsp-sign bit in the key usage extensions set. ➢ How does openssl handle cases where this requirement is violated?
Look at check_delegated() in ocsp/ocsp_vfy.c It returns an error. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
