ADSS Admin Guide

Steps

Description

Step 1:

Use the Key Manager module to generate the keys needed for the ADSS OCSP Service to sign the response. At least one OCSP response signing key is required with purpose "OCSP Response Signing".

Step 2:

Register all the root and/or intermediate CAs that will be involved in path building/validation in ADSS Trust Manager module.

Note: Registering the intermediate CAs can shorten the path discovery/validation process overheads and time.

Step 3:

Add relevant trusted CAs in the OCSP Service so that revocation status services for the certificates issued by these CAs can be provided by the OCSP Service.

Step 4:

Ensure the ADSS CRL Monitor is running and the CRLs are being retrieved successfully for the registered CAs or Import the CRLs for the trusted CAs in CRL Monitor module, to determine the revocation status if you wish to use the locally held CRLs for revocation checking.

Step 5:

Use the ADSS OCSP Service Manager to start/stop/restart the service. ADSS OCSP Service is required to be restarted when an OCSP Validation Policy is added/updated/delete.

​It is not necessary to register the OCSP Service clients within the ADSS Client Manager (unlike the ADSS Signing, Verification and Certification services).  Instead the OCSP Service can identify OCSP clients if the OCSP requests are signed and this signature can be trusted. So one needs to only register the trusted CAs. Another option for client authentication is to conduct the OCSP service over a mutually authenticated TLS session or to use IP address validation.  These are configured in the OCSP Access Control section.

​​Refer to the section “Configuring the OCSP Service URL” in the ADSS Installation Guide to see how ADSS Server OCSP service can be configured to listen on defaults ports i.e. 80 for non-TLS and 443 for TLS communication. Details of the default OCSP URLs is contained here: OCSP Service Interface URLs.