The Microsoft Certification Authority always signs certificates using the key associated with the most recent Certification Authority Certificate. The signing certificate for an OCSP response should be in accordance with RFC 6960 but signed by the same key as the certificate to be verified:
The CA SHOULD use the same issuing key to issue a delegation certificate as that used to sign the certificate being checked for revocation.
https://tools.ietf.org/html/rfc6960#section-4.2.2.2
However, if the certification authority certificate is renewed and a new key pair is used in the process, it is necessary for the online responder to continue to maintain valid signature certificates for the certificates issued with the previous certification authority certificate, since these are ultimately still valid and must be checked for revocation.
Continue reading „Die Beantragung eines bestimmten Signaturschlüssels auf einer Zertifizierungsstelle erlauben“
English 
Deutsch