Hi Steve,
> Err no it doesn't it isn't part of EKU.
That's what I thought but I couldn't find "noCheck = yes" and stumbled
onto the eku method.
When I use "extendedKeyUsage = OCSP Signing, OCSP No Check"
OpenSSL generates:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
OCSP Signing, id-pkix-ocsp-nocheck
So I thought this was where it goes. I also know of at least one other pki
implementation that makes this mistake.
Thanks for clearing up how to use OpenSSL correctly for this.
Cheers,
Simon McMahon
"Dr. Stephen Henson" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
11/07/2006 10:10 PM
Please respond to
[email protected]
To
[email protected]
cc
Subject
Re: ocsp-nocheck
On Tue, Nov 07, 2006, Simon McMahon wrote:
> Found it: extendedKeyUsage = OCSP Signing, OCSP No Check
> does the trick.
>
Err no it doesn't it isn't part of EKU.
> The RFC doesn't exactly make this clear that 'nocheck' is a part of
> ExtendedKeyUsage but I guess that is not OpenSSL's problem.
>
That's isn't how its used. You should do:
noCheck = yes
though the value (the "yes" bit) is ignored and can be anything.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
