Configuring an OCSP Repeater
There are various steps that must be taken when configuring the ADSS OCSP Repeater Service. The order in which these are done is not important since it is easy to make changes later if required.
A full ADSS OCSP Server must already exist that has been configured to manage and send pre-computed responses to this new OCSP Repeater.
| Process Steps |
Task Description |
| Step 1: |
Use the Key Manager module to generate the keys needed for the ADSS OCSP Repeater Service to communicate with the central OCSP service. A Client TLS Certificate is required with the purpose "TLS Client Authentication". A separate key and certificate for each ADSS OCSP Repeater Server is recommended. |
| Step 2: |
Register all the root and/or intermediate CAs that will be involved in path building/validation in ADSS Trust Manager module. Note: Registering the intermediate CAs can shorten the path discovery/validation process overheads and time. |
| Step 3: | Ensure the ADSS CRL Monitor service is running and that CRLs are being retrieved successfully for all relevant registered CAs. |
| Step 4: | Ensure that the D-OCSP setting is enabled in OCSP Service > Registered CA for the relevant CAs so that the central OCSP Service pre-computes the OCSP responses for these CAs. |
| Step 5: |
Add the Trusted CAs in the ADSS OCSP Repeater Service so that revocation status services for the certificates issued by these CAs can be provided by the OCSP Repeater Service. |
| Step 6: |
Use the ADSS OCSP Repeater Service Manager to start/stop/restart the service. ADSS OCSP Repeater Service is required to be restarted when something is added/updated/delete in the sub modules of the OCSP Repeater Service. |
The Client Manager is not used to control access to the OCSP Repeater Service. Access can be either open for all OCSP Clients or controlled using a mutually authenticated TLS session or using IP address filtering. These options are configured in the OCSP Repeater "Access Control" section.
Refer to the section “Configuring the OCSP Repeater Service URL” in the ADSS Installation Guide to understand how the ADSS Server OCSP Repeater Service can be configured to listen on defaults ports i.e. 80 for non-TLS and 443 for TLS communication. The default URLs are shown in the following section "OCSP Repeater Service Interface URLs".
See also