Configure Implicitly Trusted VAs
When validating OCSP responses the Validation Client may encounter responder certificates that are not explicitly trusted (see Section Configure Explicitly Trusted Validation Authorities). If such a certificate was issued by the issuer of the certificate being validated, and the issuer certificate is trusted, the responder certificate will be implicitly trusted. The Validation Client will then need to determine whether the implicitly trusted responder certificate has itself been revoked.
Select Check this box to enable the IdenTrust implicit trust model if you are using IdenTrust validation authorities to perform OCSP. No other implicit trust options need to be set when the IdenTrust model is used.
If the responder certificate contains the id-pkix-ocsp-nocheck extension, its issuer has asserted that relying parties do not need to check whether it has been revoked, and the Validation Client will not perform any additional checking. If the responder certificate does not contain the id-pkix-ocsp-nocheck extension, the selections in the Implicitly Trusted Validation Authorities section allow you to configure the Validation Client as follows:
-
(Default) Automatically reject – the Validation Client rejects responses signed by implicitly trusted responder certificates that do not contain the id-pkixocsp-nocheck extension.
-
Automatically accept – the Validation Client trusts any responses signed by implicitly trusted responder certificates that don't contain the id-pkix-ocspnocheck extension.
-
Allow client to attempt to validate – the Validation Client attempts to validate implicitly trusted responder certificates that do not contain the id-pkix-ocspnocheck extension. If validation is not successful, the responder certificate is rejected.
Click OK then click Apply to save the changes.
