the "clientToolBox ocsp" client has to be fixed to handle the new behavior described in
The tests fails since it is assumed that the last cert in the chain is a root and should be self signed.
A new certificate that is the cert below the last cert in the response chain could be added as an optional new parameter. This will be the root CA cert (chain) or the signer issuer cert (no chain). If this new parameter is present the last cert in the received chain will be tested and otherwise not.
It is important that we have a tool that could verify the whole chain in a response when an installation is tested.