If OCSP requests are not signed and there is at least one foreign (unregistered CA) CertID in the OCSP request then ADSS Server cannot apply the OCSP policy for the recognized CA. The Default Policy shown below is then used to process the unsigned OCSP request(s):



OCSP Responder Policy defines the following:


Items

Description

OCSP Responder Certificate

Selected OCSP response signing certificate will be used to sign OCSP responses received from the peer responders.


Note: When operating in FIPS 201 compliant mode, the ADSS Server User must ensure that the length of the OCSP response signing key must be at least as large as, or larger than, the key length used by the CA that issued the target certificate (i.e. certificate being validated).

Hashing Algorithm

Selected hashing algorithm is used to sign the generated OCSP responses. The available options are SHA1, SHA224, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512, RipeMD128 and RipeMD160.


Note: When operating in FIPS 201 compliant mode, the ADSS Server User must ensure that the hash algorithm configured for the OCSP response signing process must be at least as large as, or larger than, the hash algorithm used by the CA in issuing the target certificate (i.e. certificate being validated). Also note RipeMD128 and RipeMD160 are not available when operating in FIPS 201 compliant mode using a FIPS 140-2 evaluated hardware crypto module.

Identify Responder By

The OCSP Service can be configured to either include the responder name hash (i.e. common name of the OCSP response signing certificate) or the responder key hash.

Include Responder's Certificates in response

Select this option to include the intermediate certificate chain and/or OCSP response signing certificate within the generated OCSP response. 

  • Include Responder Certificate Chain
    By selecting this radio button, full chain of the OCSP response signing certificate will be included in the OCSP response.
  • Include Only Responder Certificate
    By selecting this radio button, only OCSP response signing certificate will be included in the OCSP response.


Note: If this option will be unchecked then neither response signing certificate nor response signing certificate chain will be included in the OCSP response.

Include CRL extension in OCSP responses

If CRL extensions and/or CRL references are available to the OCSP service then these will be included in the OCSP response message. The following CRL Entry Extensions are supported: 

  • Invalidity date.
  • Reason code.
  • Hold instruction code.


The following CRL references are supported:  

  • crlUrl
  • crlNumber
  • crlTime

OCSP requests must have "nonce" extension

Determines whether or not the nonce extension should be present in the OCSP request messages that the ADSS OCSP service receives. If a nonce extension is required then any OCSP requests received without one causes a unauthorized error message to be sent back.



See also

OCSP Request Handling

OCSP Responder Policy

Default OCSP Relaying Policy