I'm planning to run openssl ocsp in server mode,
openssl ocsp \
-index /svr/demoCA/index.txt \
-port 8888 \
-CA /svr/demoCA/certs/CA/CA.cert.pem \
-rsigner /svr/demoCA/crl/OCSP.cert.pem \
-rkey /svr/demoCA/crl/OCSP.privkey.pem \
-text -out /var/log/ocsp.log
where "OCSP.cert.pem" is a single-purpose cert, only for the OCSP responder.
What's the MINIMAL (Extended)KeyUsage for the cert?
Currently, I have
cat /svr/demoCA/crl/OCSP.cert.pem | grep -i usage -A1
X509v3 Extended Key Usage:
OCSPsigning
--
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key
Encipherment
Obviously, the "OCSPsigning" Extended usage is required.
Which, if any/all, of the "Digital Signature, Non Repudiation, Key
Encipherment" KeyUsage specifications are required, if this cert will
be used ONLY for/by the OCSP responder daemon?
Thanks.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
