Hi Steve, > Err no it doesn't it isn't part of EKU. That's what I thought but I couldn't find "noCheck = yes" and stumbled onto the eku method.
When I use "extendedKeyUsage = OCSP Signing, OCSP No Check" OpenSSL generates: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Extended Key Usage: OCSP Signing, id-pkix-ocsp-nocheck So I thought this was where it goes. I also know of at least one other pki implementation that makes this mistake. Thanks for clearing up how to use OpenSSL correctly for this. Cheers, Simon McMahon "Dr. Stephen Henson" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 11/07/2006 10:10 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: ocsp-nocheck On Tue, Nov 07, 2006, Simon McMahon wrote: > Found it: extendedKeyUsage = OCSP Signing, OCSP No Check > does the trick. > Err no it doesn't it isn't part of EKU. > The RFC doesn't exactly make this clear that 'nocheck' is a part of > ExtendedKeyUsage but I guess that is not OpenSSL's problem. > That's isn't how its used. You should do: noCheck = yes though the value (the "yes" bit) is ignored and can be anything. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]