While POCing OCSP using the .NET and Java drivers and server team's mock ocsp responder and certs in jstests/libs/ocsp that shreyaskal kindly pointed me at, I discovered I was unable to import the ca_ocsp certificate into a Java trust store.

keytool -import -trustcacerts -keystore cacerts -alias ca_ocsp -file ca_ocsp.pem
keytool error: java.lang.Exception: Input not an X.509 certificate

Further trial and error revealed that Java's keytool utility was willing to add a X.509 v3 certificate, but not the ca_ocsp.pem certificate because it appears to be an X.509 v1 certificate (see screenshot).

Updating mkcert.py to output v3 certificates seems to have solved this issue for me, and I've created a PR as the drivers team is planning on using the mock ocsp responder and the associated certificates for testing OCSP.