Configuring the OCSP Service
Following are main steps to be taken when configuring the ADSS OCSP Service. The order in which the steps are defined is not important since it is easy to go back to an earlier step and also make changes later if required.
Steps |
Description |
Use the Key Manager module to generate the keys needed for the ADSS OCSP Service to sign the response. At least one OCSP response signing key is required with purpose "OCSP Response Signing". |
|
Register all the root and/or intermediate CAs that will be involved in path building/validation in ADSS Trust Manager module. Note: Registering the intermediate CAs can shorten the path discovery/validation process overheads and time. |
|
Add relevant trusted CAs in the OCSP Service so that revocation status services for the certificates issued by these CAs can be provided by the OCSP Service. |
|
Ensure the ADSS CRL Monitor is running and the CRLs are being retrieved successfully for the registered CAs or Import the CRLs for the trusted CAs in CRL Monitor module, to determine the revocation status if you wish to use the locally held CRLs for revocation checking. |
|
Use the ADSS OCSP Service Manager to start/stop/restart the service. ADSS OCSP Service is required to be restarted when an OCSP Validation Policy is added/updated/delete. |
It is not necessary to register the OCSP Service clients within the ADSS Client Manager (unlike the ADSS Signing, Verification and Certification services). Instead the OCSP Service can identify OCSP clients if the OCSP requests are signed and this signature can be trusted. So one needs to only register the trusted CAs. Another option for client authentication is to conduct the OCSP service over a mutually authenticated TLS session or to use IP address validation. These are configured in the OCSP Access Control section. |
Refer to the section “Configuring the OCSP Service URL” in the ADSS Installation Guide to see how ADSS Server OCSP service can be configured to listen on defaults ports i.e. 80 for non-TLS and 443 for TLS communication. Details of the default OCSP URLs is contained here: OCSP Service Interface URLs. |
See also
Support for Multiple Trust Models
Multiple CA and Unique Certificate Validation Policies
Advanced Settings
Forwarding Modes
Access Control
Transactions Log Viewer
Logs Archiving
Alerts
Management Reporting
Optimising ADSS OCSP Server Performance
Operating OCSP Service in FIPS 201 Compliant Mode
OCSP Service Interface URLs