If OCSP requests are not signed and there is at least one foreign (unregistered CA) CertID in the OCSP request then ADSS Server cannot apply the OCSP policy for the recognized CA. The Default Policy shown below is then used to process the unsigned OCSP request(s):




OCSP Responder Policy defines the following:

Items

Description

OCSP Responder Certificate

Selected OCSP response signing certificate will be used to sign OCSP responses received from the peer responders.

Note: When operating in FIPS 201 compliant mode, the ADSS Server operator must ensure that the length of the OCSP response signing key must be at least as large as, or larger than, the key length used by the CA that issued the target certificate (i.e. certificate being validated).

Hashing Algorithm

Selected hashing algorithm is used to sign the generated OCSP responses.  The available options are SHA1, SHA-224, SHA256, SHA384, SHA512, RipeMD128 and RipeMD160.

Note: When operating in FIPS 201 compliant mode, the ADSS Server operator must ensure that the hash algorithm configured for the OCSP response signing process must be at least as large as, or larger than, the hash algorithm used by the CA in issuing the target certificate (i.e. certificate being validated). Also note RipeMD128 and RipeMD160 are not available when operating in FIPS 201 compliant mode using a FIPS 140-2 evaluated hardware crypto module.

Identify Responder By

The OCSP Service can be configured to either include the responder name hash (i.e. common name of the OCSP response signing certificate) or the responder key hash.

Include Responder's Certificates in response

Select this option to include the intermediate certificate chain and/or OCSP response signing certificate within the generated OCSP response. 

  • Include Responder Certificate Chain
    By selecting this radio button, full chain of the OCSP response signing certificate will be included in the OCSP response.
  • Include Only Responder Certificate
    By selecting this radio button, only OCSP response signing certificate will be included in the OCSP response.

Note: If this option will be unchecked then neither response signing certificate nor response signing certificate chain will be included in the OCSP response.

Include CRL extension in OCSP responses

If CRL extensions and/or CRL references are available to the OCSP service then these will be included in the OCSP response message. The following CRL Entry Extensions are supported: 

  • Invalidity date.
  • Reason code.
  • Hold instruction code.

The following CRL references are supported:  

  • crlUrl
  • crlNumber
  • crlTime

OCSP requests must have "nonce" extension

Determines whether or not the nonce extension should be present in the OCSP request messages that the ADSS OCSP service receives. If a nonce extension is required then any OCSP requests received without one causes a unauthorized error message to be sent back.




Default OCSP Relying Policy defines the following:


Items

Description

Allow OCSP Request forwarding

If selected then the OCSP service is allowed to relay the request to a peer OCSP Responder in case it is not authoritative for the target certificate.

Add Nonce extension

If this option is enabled then ADSS Server will add a nonce (i.e. a number used once) extension to the OCSP request message. The OCSP response is checked to ensure that it contains the same nonce value to prevent replay attacks.

Add Service Locator extension

If this option is enabled then ADSS Server will add the responder URL from the target certificate’s AIA extension into the OCSP request as a Service Locator extension. This helps the OCSP Responder to relay the OCSP request to other OCSP responders if the request cannot be handled directly.

Sign OCSP Request

Select this checkbox if the OCSP Responder requires OCSP request messages to be signed. Then select the OCSP Request signing Certificate which pre-exists in the Key Manager

Hash Algorithm

Specify the hash algorithm to be used to generate OCSP request and furthermore to sign the OCSP request.

Use TLS client Authentication

If this option is enabled then OCSP service will communicate with peer OCSP responder using TLS client authentication. Select the Client TLS Certificate which pre-exists in the Key Manager

Note: It is required to register the Issuer CA of the Client TLS certificate in Trust Manager with the CA for verifying TLS client certificates purpose

Verify OCSP Responder's certificate

Select this checkbox if revocation checking of the OCSP Responder certificate is also required.  

Note: This is considered unusual since OCSP responder certificates are typically configured with a 'NOCHECK' extension.

Verify OCSP Responder is authorised by the CA

If this option is enabled then ADSS Server validates that the OCSP Responder that provides the OCSP response message is certified by the same CA that certified the target certificate; and furthermore that the OCSP Responder’s certificate was specifically marked by the CA for “OCSP Signing” in the certificates Extended Key Usage field.

Clock Tolerance

When verifying OCSP responses from peer responder, OCSP Service will compare the time within the OCSP response with its local clock to ensure they are “fresh” responses. System times may not be perfectly synchronized and so a tolerance value is essential. It is recommended that this is set to at least 100 seconds.

Response timeout

Defines how many seconds OCSP Service will wait for the peer OCSP Responder before assuming that there is a communication problem. It is recommended that this is set to at least 10 seconds.

Note: Set to zero if the timeout is unlimited.



See also

OCSP Request Handling