On Tue, Feb 24, 2015, Stephan M?hlstrasser wrote: > > Do I understand it correctly then that "a local configuration of > OCSP signing authority" here means that it is a deliberate choice > inside OpenSSL itself to look for the OCSPSigning flag in the > extended key usage of the root CA, although RFC 2560 does not say > so? > No it's a separate thing called a "trust setting" which is not part of the certificate itself . This is something which has to be explicitly configured to trust that root CA for OCSPSigning. It's OpenSSL's version of the trust settings you see in browsers. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
