Default OCSP Relaying Policy
If OCSP requests are not signed and there is at least one foreign (unregistered CA) CertID in the OCSP request then ADSS Server cannot apply the OCSP policy for the recognized CA. The Default Policy shown below is then used to process the unsigned OCSP request(s):
Default OCSP Relying Policy defines the following:
Items |
Description |
Allow OCSP Request forwarding |
If selected then the OCSP service is allowed to relay the request to a peer OCSP Responder in case it is not authoritative for the target certificate. |
Add Nonce extension |
If this option is enabled then ADSS Server will add a nonce (i.e. a number used once) extension to the OCSP request message. The OCSP response is checked to ensure that it contains the same nonce value to prevent replay attacks. |
Add Service Locator extension |
If this option is enabled then ADSS Server will add the responder URL from the target certificate’s AIA extension into the OCSP request as a Service Locator extension. This helps the OCSP Responder to relay the OCSP request to other OCSP responders if the request cannot be handled directly. |
Sign OCSP Request |
Select this checkbox if the OCSP Responder requires OCSP request messages to be signed. Then select the OCSP Request signing Certificate which pre-exists in the Key Manager |
Hash Algorithm |
Specify the hash algorithm to be used to generate OCSP request and furthermore to sign the OCSP request. The available options are SHA1, SHA224, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512, RipeMD128 and RipeMD160. |
Use TLS client Authentication |
If this option is enabled then OCSP service will communicate with peer OCSP responder using TLS client authentication. Select the Client TLS Certificate which pre-exists in the Key Manager. Note: It is required to register the Issuer CA of the Client TLS certificate in Trust Manager with the CA for verifying TLS client certificates purpose |
Verify OCSP Responder's certificate |
Select this checkbox if revocation checking of the OCSP Responder certificate is also required. Note: This is considered unusual since OCSP responder certificates are typically configured with a 'NOCHECK' extension. |
Verify OCSP Responder is authorised by the CA |
If this option is enabled then ADSS Server validates that the OCSP Responder that provides the OCSP response message is certified by the same CA that certified the target certificate; and furthermore that the OCSP Responder’s certificate was specifically marked by the CA for “OCSP Signing” in the certificates Extended Key Usage field. |
Clock Tolerance |
When verifying OCSP responses from peer responder, OCSP Service will compare the time within the OCSP response with its local clock to ensure they are “fresh” responses. System times may not be perfectly synchronized and so a tolerance value is essential. It is recommended that this is set to at least 100 seconds. |
Response timeout |
Defines how many seconds OCSP Service will wait for the peer OCSP Responder before assuming that there is a communication problem. It is recommended that this is set to at least 10 seconds. Note: Set to zero if the timeout is unlimited. |
See also