Problem

* When generating a new OCSP signing certificate and having it signed by an external CA, the newly signed certificate is rejected with an error like the following:

"Certificate does not contain required OCSP or SCVP signing extension (id-kp-OCSPSigning, 1.3.6.1.5.5.7.3.9, id-kp-scvpServer, or 1.3.6.1.5.5.7.3.15)."

Resolution

-- This happens when you generate a self-signed certificate and then try to get the CSR for it, instead of telling VA that the certificate will be CA signed. When you go to create the new key for the request, on the "Generate Software Key and Certificate: Default OCSP/SCVP Response Signing" page, there's an option that defaults to "Self-signed certificate." This must be changed to "Certificate Request" or the CSR generated will not request the proper OCSP extensions. The setting looks like this:

You can tell if you have done this correctly because the printout of the CSR information will contain a section called requested extensions:

Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, OCSP Signing
X509v3 Subject Key Identifier:
4B:F7:17:F8:D4:7D:55:26:8B:BA:57:34:68:94:23:36:55:A7:52:14