On 18/11/16 16:09, Erwann Abalea wrote:
<snip>
60 | 1.3.6.1.5.5.7.3.9 | id-kp-OCSPSigning
Wait, what?
Depressing, isn't it.
This is a Microsoft issue. I don’t remember the exact details, but either
Microsoft PKI can’t generate a dedicated OCSP responder out of a CA if the CA
certificate is « EKU-constrained » without containing the id-kp-OCSPSigning, or
Microsoft relying parties can’t validate an OCSP response signed by such a
responder.
A consequence of the « EKU constraints ».
It's the former, and there's a workaround (which we've used successfully):
Use an untrusted root to issue an unconstrained intermediate with the
same Subject/PublicKey as the trusted, constrained intermediate (that
lacks the OCSP Signing EKU OID). Having then installed the untrusted,
unconstrained intermediate into your Microsoft CA environment, use it to
issue an OCSP responder cert. Then you can use that OCSP responder cert
in conjunction with your trusted, constrained intermediate.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
