On Tue, Mar 23, 2010 at 4:54 PM, Patrick Patterson <ppatter...@carillonis.com> wrote: >> where "OCSP.cert.pem" is a single-purpose cert, only for the OCSP responder. >> > I hope you realize that there are MANY warnings against doing this for > other than test purposes - for one thing, the server will fall over and > die if it encounters any sort of error at all (there is an option that > you can give it to stop it doing that that I can't recall at the moment, > but I still wouldn't trust it for any sort of load at all).
Alas, I realize no such thing :-( By "doing this", what do you mean? Running an OCSP responder, or having a single-purpose cert? Can you please expound a bit? >> What's the MINIMAL (Extended)KeyUsage for the cert? >> > Well, according to the framers of the FBCA Certificate Policy, and the > CertiPath certificate policy (which count among them, several of the > authors of the OCSP standards), KU for an OCSP server should be: > > digitalSignature, nonRepudiation > > with an EKU of: OCSPSigning > > and the OCSPNoCheck extension present (to avoid looping). Maybe I'm reading the wrong doc. @, http://www.idmanagement.gov/fpkipa/documents/CertCRLprofileForCP.pdf "X.509 Certificate and Certificate Revocation List (CRL) Extensions Worksheet 10: Certificate Profile for Delegated OCSP Responders" Pg 51 seems to imply only required KU of 'digitalSignature'. no? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
