Step 6 - Using the Service Manager
After making configuration changes within the ADSS OCSP Repeater Service, the service must be restarted for the changes to take effect. The OCSP Repeater service manager module allows operators to start, stop or restart the OCSP Repeater service and also make changes to service related configurations. Click on the "Service Manager" button and this screen is shown:
The configuration items are as follows:
Items |
Description |
Service Address |
The address of the OCSP Repeater Service being controlled from this Service Manager. Ensure the address points to the correct service URL, i.e. if you are running the service on multiple machines in a load-balanced configuration then check that the name is correct for the particular instance that needs to be started/stopped/restarted. By default it will be that of the local machine. |
Start |
Start the service. Status will change to “Running” after a successful start. |
Stop |
Stop the service. Status will change to “Stopped” after the service is stopped. |
Restart |
Stop and then start the service in one go, Status will change to “Running” after a successful restart. |
OCSP Request Handling |
The OCSP Request Handling configures the type of requests that can be accepted by the OCSP Repeater Service. |
Accept unsigned OCSP requests |
In this case there is no authentication of relying parties. Both signing and unsigned OCSP Repeater request are accepted by the service. In case signed requests are received the signature will be ignored. |
Accept signed and unsigned OCSP requests |
When selected, both signed and unsigned OCSP requests will be processed. For signed requests OCSP Repeater service will properly validate the signature. |
Accept only signed requests |
When selected, only signed OCSP requests from relying parties who are certified by a trusted CA will be accepted. If using this option ensure that OCSP requests are signed and the issuer of the request signers’ certificate is registered in the ADSS Trust Manager. |
Verify OCSP request signer’s certificate status |
If selected, the relying party’s request signing certificate status is checked to see if it revoked. The validation policy of the signer’s certificate issuer CA is used to check this. |
Log OCSP transactions |
When the Log OCSP transactions option is enabled then all OCSP Repeater transactions are recorded in the ADSS Server database. With this option disabled no OCSP Repeater transactions are recorded in the database. This feature is useful when much higher throughput is required and logging is seen as an overhead, e.g. within EV TLS environments. |
OCSP Relay Policy |
The OCSP Relay policy configures the mechanism to forward the OCSP request to a peer OCSP responder when foreign CA (unregistered) certID found in the OCSP request. |
Forward OCSP Request |
Enabling this checkbox will forward the OCSP request if OCSP Repeater found foreign CA CertID in OCSP request. |
OCSP Service URL |
The OCSP Service URL defines the IP Address/host name and port on which the OCSP Repeater will communicate/connect to the OCSP Service to fetch single OCSP response of the target certificate. |
Use service locater |
If enabled then OCSP Repeater will forward the OCSP request at service locator URL. In case the service locator URL not available from the incoming OCSP request then the request will be forwarded to configured OCSP URL. |
Ensure all the changes are saved by clicking the Save button and restart the service to take changes effect. |
See also
Step 1 - Generating Keys and Certificates
Step 2 - Registering CAs
Step 3 - Configuring CRL Monitor
Step 4 - Configuring OCSP Repeater Service
Step 5 - Registering Trusted CAs for OCSP Repeater Service