Found it: extendedKeyUsage = OCSP Signing, OCSP No Check does the trick.
The RFC doesn't exactly make this clear that 'nocheck' is a part of ExtendedKeyUsage but I guess that is not OpenSSL's problem. Thanks. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
