For a CA that chains to a specific certificate vendor (or other third-party root) to be able to issue OCSP certificates, the root certificate also has to either contain the OCSP EKU explicitly or have no OCSP EKU defined at all. Typically, root certificates are not constrained at all. However, we apply constraints to the third-party roots that we include in Windows when they are included in the trusted root list, even though the certificate itself is actually unconstrained.
Functionally, when the CA issues an OCSP certificate, it performs a standard chain validation on the OCSP certificate. This fails because the OCSP certificate has the OCSP EKU whereas the rest of the issuing CAs are constrained but do not have the OCSP EKU.
Article ID: 2962991 - Last Review: 8 Jul 2014 - Revision: 1