Em relação a 1)
OCSP tem um "Par de chave / certificado de assinatura de resposta" usado para autenticar a resposta. Este certificado é dado na resposta a:
$ openssl ocsp -issuer chain.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com" -resp_text
-----BEGIN CERTIFICATE-----
[...]
UMiqxBNugzQ=
-----END CERTIFICATE-----
Então, vamos salvar isso para signcert.pem e ver o que está acontecendo:
$ openssl ocsp -issuer chain_wikipedia.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com" -resp_text | sed -n '/-----BEGIN/,/-----END/p' > signcert.pem
$ openssl verify signcert.pem
signcert.pem: C = BE, O = GlobalSign nv-sa, CN = GlobalSign OV CA - SHA256 - G2 OCSP responder - 2, serialNumber = 20150914163800
error 20 at 0 depth lookup:unable to get local issuer certificate
Ok ... Acho que estamos perdendo o intermediário?
$ openssl x509 -noout -text -in signcert.pem | grep -e 'Issuer:' -e '.crt'
Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
OK, nenhum campo URI do emissor ... Isso é apenas sujo. Vamos buscá-lo na CA e formar uma cadeia:
$ curl https://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt | openssl x509 -inform der -outform pem >> signcert.pem
Ok, isso deve acontecer ...:
$ openssl ocsp -VAfile signcert.pem -issuer chain_wikipedia.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com" -resp_text
[...]
-----BEGIN CERTIFICATE-----
[...]
/TiSgNCpgNg=
-----END CERTIFICATE-----
Response Verify Failure
... WTF ?! Ah, certinho de assinatura diferente!!
$ cat >> signcert.pem
-----BEGIN CERTIFICATE-----
MIID9DCCAtygAwIBAgISESEjxqkycL2lZt0CfS9OgUN2MA0GCSqGSIb3DQEBCwUA
MGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYD
VQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hB
MjU2IC0gRzIwHhcNMTUwODIwMTgxOTQxWhcNMTUxMTIwMTgxOTQxWjB9MQswCQYD
VQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTE6MDgGA1UEAxMxR2xv
YmFsU2lnbiBPViBDQSAtIFNIQTI1NiAtIEcyIE9DU1AgcmVzcG9uZGVyIC0gMTEX
MBUGA1UEBRMOMjAxNTA4MjAyMDE4MDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC+8xxGkIda/04pKK3AXuLz8S8EH4qouLbP/lrd+DFY1oI8fU4kosO+
WjvBPMeK1ZvvR6YjcNhIRsoYsDWdvhMv8/qvu1GQBrs1oC2910lg3fGIR48LR6TR
+XYC1jFv0IHaF5vp+e2nu3diJi7FKHMbP5jVdd1e6cuEcrq+pEW7WkPDQnhzh6U/
GGdhxbH8uk4KPH42Os0Rf6la99EyXzJZ8zccy0ySGnIOF5Km1efXg0qwx3PEk3MQ
fbFG3n4zE7lwBsrEgACI+V9K50tWfJIAm8Ll/xpGhvqF+6swCr0WExMcqaNpdVsf
hiHFD18k8v4R6t7ht+cWx1YvSSA+/hz3AgMBAAGjgYQwgYEwCQYDVR0TBAIwADAO
BgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYJKwYBBQUHMAEF
BAIFADAdBgNVHQ4EFgQU8haQnheoUW3t3+j0OaxZMUgEjIkwHwYDVR0jBBgwFoAU
lt5h8b0cFilTHMDMfTuDAEDmGnwwDQYJKoZIhvcNAQELBQADggEBAH0MXy5hmHXc
G88ntZ2YcM3C6AAVqpfZ2+KYwL06cjmAFvNx6nWUN2w5MD59fiQC3DENCvlEGe29
d9+zsPM4hwEVRGKBIDueXycI0BNRAViacaks4OqRcc8gi1SBE5j94yt1kfp6VBhc
yQBU4Cg5UBy4OA3SsnYdt/Ur1Xm+BDlpi5WWROM1O5UECquLU3/P1prxF78EkTdv
OSGtP1VLMS47hk5v+sUC3hnfwUyKnr2oiVV6CvxxLOipdeDGl68dVisauNf7Dp9H
YvO8OLkN9es+R2AV5iFIzLWHjsQxLOrY18bi6N0zMP7tuZIRSVpil+b49KJ8T/e1
/TiSgNCpgNg=
-----END CERTIFICATE-----
^D
Dedos cruzados ...
$ openssl ocsp -VAfile signcert.pem -issuer chain_wikipedia.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com"
Response verify OK
wikipedia.pem: good
This Update: Sep 15 17:01:20 2015 GMT
Next Update: Sep 16 05:01:20 2015 GMT
Claro que sim!