It is necessary to register the CAs for which the OCSP Repeater Service will provide revocation status information within the ADSS Trust Manager module. This allows the CRL resource settings and other validation policy parameters to be configured.  This only need be done once since the settings can be exported and then imported into other ADSS OCSP Repeater Servers.

When an ADSS OCSP Repeater Server is configured to accept only signed OCSP Repeater requests then it is mandatory to also register the issuer CA(s) of the relying party (the OCSP Repeater client) certificates in Trust Manager so that signed OCSP requests from the requester can be trusted. The OCSP Repeater Service can be configured to accept:

  • Only signed requests or
  • Both signed and unsigned requests (signed requests are verified) or
  • Unsigned requests only (any signature on signed requests are just ignored)

In all of these cases the issuer CA of a target certificate (the target certificate is defined as the certificate whose revocation is to be checked) MUST be registered in the Trust Manager. Review the ADSS Trust Manager module to understand how to register CAs as Trust Anchors.

When registering a CA select its purpose as "CA (will be used to verify other certificates and CRLs)".


See also

Step 1 - Generating Keys and Certificates
Step 3 - Configuring CRL Monitor
Step 4 - Configuring OCSP Repeater Service
Step 5 - Registering Trusted CAs for OCSP Repeater Service
Step 6 - Using the Service Manager