It is necessary to register the CAs for which the OCSP Service will provide revocation status information within the ADSS Trust Manager. This will allow the CRL resource settings and other validation policy parameters to be configured. 

When ADSS Server is configured to accept only signed OCSP requests then it is mandatory to also register the issuer CA(s) of the relying party (i.e. OCSP client) certificates in the Trust Manager so that signed OCSP requests from the requester can be trusted. Note that the OCSP Service can be configured to accept:

  • Only signed requests or
  • Both signed and unsigned requests (signed requests are verified) or
  • Unsigned requests only (any signature on signed requests are just ignored)


In all of these cases the issuer CA of a target certificate (the target certificate is defined as the certificate whose revocation is to be checked) MUST be registered in the Trust Manager. 
Read the ADSS Trust Manager description to understand how to register CAs as Trust Anchors.


Select the purpose for the registered CAs as "CA (will be used to verify other certificates and CRLs)"



See also

Step 1- Generating Keys and Certificates

Step 3 - Registering Trusted CAs for OCSP Service
Step 4 - Configuring CRL Monitor
Step 5 - Using the Service Manager