When creating a CSR for an OcspKeyBinding, the CSR does not contain any certificate extensions and attributes which makes it incompatible with MS CA.
Investigate if we can fix this and create patch compatible with EJBCA 184.108.40.206.
The following items should be in the CSR created from an OcspKeyBinding (see examples in comments):
- extendedKeyUsage = ocspSigning
- keyUsage = digitalSignature
These two items was added in this ticket. Additionally we will also need:
- Microsoft specific attributes
This will be done in a follow-up ticket.
OIDs are documented here: https://support.microsoft.com/en-us/help/287547/object-ids-associated-with-microsoft-cryptography