Hi, There is nothing (that I could find) in the ocsp(1) doc on how to generate OCSP responder certificates with openssl.
In the openssl.cnf you need: [ ocsp_cert ] extendedKeyUsage = OCSP Signing then add "-extensions ocsp_cert" on the "openssl ca" command to generate the cert. Note the space in the OID name! Using "OCSPsigning" doesn't work. There is also an unrelated mistake in the doc: " OCSP Response verification ... Initially the OCSP responder certificate is located and the signature on the OCSP request checked using the responder certificate's public key. " Should be "... and the signature on the OCSP response checked ...". OCSP request checking is something different. Regards, Simon McMahon ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]