Forwarding Modes
When the ADSS Server OCSP responder is not the authoritative source for revocation status, it can relay the OCSP request to a peer OCSP responder. The OCSP relay feature can be enabled:
Proxy Settings
For relayed OCSP transactions, generally the OCSP service will re-sign the OCSP response before sending the response to the calling client. Use these settings to ensure relayed OCSP requests for the configured OCSP Responder URLs are NOT re-signed before responding to the calling client:
To add an OCSP Responder URL in the list, simply enter the peer OCSP responder URL and press the ADD button.
When a client receives a certificate which does not contain an AIA extension it cannot inform its own OCSP responder of where the authoritative OCSP responder is (using the Service Locator extension to an OCSP request). This means the OCSP responder will respond with "unknown" thus impacting interoperability, unless the certificate being checked, was local (i.e. issued by a locally registered CA) in the first place.
The OCSP Service enables a manual routing table to be created for certificates, that do not contain a Service locator extension in the OCSP request. This is done by identifying the CA and manually configuring an address for its OCSP responder. When an OCSP request is seen for a certificate issued by this CA, the OCSP service will forward the request to the identified peer OCSP responder.
Enable manual routing by selecting the option Enable Manual Routing. Manual routing can be configured:
Add a CA or multiple CAs in the manual routing table by selecting relevant CA certificate(s) using the Browse button and then specifying the OCSP Responder URL for the selected CA. Click the Add button to add the CA(s) in the manual routing table.
See also