Procedure 3: Configure Request Relaying for OCSP

When the Responder cannot service an OCSP request using pre-generated OCSP responses, it can relay the request to another server. You can configure the URLs to which requests are relayed.

When more than one relay URL is configured, each URL will be queried in the order listed on this page until a definitive response is found or all URLs have been queried.

When a URL is associated with a certificate issuer, an OCSP request will only be relayed to that URL if it queries the status of a certificate issued by that certificate issuer. Such requests will be relayed regardless of the relaying options if no pre-generated OCSP response is available.

This situation could occur for a number of reasons, such as:

  • The OCSP request contains a nonce,

  • The OCSP request queries the status of a certificate with a known issuer, but for which there is no pre-generated response, or

  • The OCSP request queries the status of more than one certificate.

To configure OCSP request relaying, you must specify the URL(s) of the OCSP server(s) to which requests should be relayed and the type(s) of requests to relay.

If OCSP request relaying is not enabled, or not enabled for a particular OCSP request type, then the Validation Responder Appliance services the request to the best of its ability, and the client must decide whether or not to accept the response.

The OCSP server to which OCSP requests are relayed is specified as a URL. Carefully review the following important notes.

Important:

  • The Validation Responder Appliance offers OCSP services over both the HTTP and HTTPS protocols.

  • The Validation Responder Appliance uses ports 80 and 3502 for requests over HTTP and ports 443 and 3602 for requests over SSL.

    Since all OCSP responses are cryptographically protected with signatures generated by the Validation Authority, you may use HTTP for OCSP to avoid SSL performance overhead.

Task 1: Add Relay URL

  1. In the Responder Software section of the navigation bar, click Request Relaying.

  1. Enter the URL to which all required OCSP requests will be relayed.

  1. If you only want to replay requests for the status of certificates issued by a specific issuer, then browse to select the Issuer.

    • When more than one relay URL is configured, the Validation Responder Appliance relays requests in the order in which the URLs appear (that is, the first URL is the primary server).

    • If it does not receive a response from the primary server, or if the primary server returns an OCSP response without a definitive status, then the Validation Responder Appliance tries the next listed URL.

  1. Click Add Relay URL.

  2. In the Responder Software section of the navigation bar, click Restart for the change to take effect.

Task 2: Specify OCSP Request Types to Be Relayed

  1. Click Request Relaying, and then click configure relay options.

    1. Relay requests containing nonces: Select this option if you want the Validation Responder Appliance to relay OCSP requests that contain a nonce.

      Nonces can be included in OCSP requests to cryptographically bind an OCSP response to the request. When responding to a request that includes a nonce, the Validation Responder Appliance must use its signing key to sign the response including the nonce. Since Validation Responder Appliances cannot create signatures, OCSP requests that include a nonce must be relayed (if the response is to include the appropriate nonce).

      If relaying is not enabled, then the Validation Responder Appliance services the request, but no nonce is included in the response. The client must decide whether or not to accept the response.

    2. Relay requests when the CA is known: Select this option if you want the Validation Responder Appliance to relay OCSP requests querying a certificate of unknown status with a known issuer, but there is no pre-generated response.

      This situation can occur when a Certificate Authority issues certificates that do not use sequential serial numbers.

    3. Relay requests querying the status of more than one certificate: Select this option if you want the Validation Responder Appliance to relay OCSP requests querying the status of more than one certificate.

      The status of all queried certificates must be included in a single signed response. Thus, the Validation Responder Appliance cannot service these requests using pre-generated OCSP responses.

  1. Click Set Options.

  2. Restart the Validation Responder software for the change to take effect.