OCSP Request Relaying

When the Validation Responder cannot service an OCSP request using pre-generated OCSP responses, it can relay the request to another server. You can configure the URLs to which requests are relayed.

When more than one relay URL is configured, each URL will be queried in the order listed on this page until a definitive response is found or all URLs have been queried.

When a URL is associated with a certificate issuer, an OCSP request will only be relayed to that URL if it queries the status of a certificate issued by that certificate issuer. Such requests will be relayed regardless of the relaying options if no pre-generated OCSP response is available.

This situation could occur for a number of reasons, such as:

  • The OCSP request contains a nonce,

  • The OCSP request queries the status of a certificate with a known issuer, but for which there is no pre-generated response, or

  • The OCSP request queries the status of more than one certificate.

To configure OCSP request relaying, you must specify the URL(s) of the OCSP server(s) to which requests should be relayed and the type(s) of requests to relay.

If OCSP request relaying is not enabled, or not enabled for a particular OCSP request type, then the Validation Responder services the request to the best of its ability, and the client must decide whether or not to accept the response.

The OCSP server to which OCSP requests are relayed is specified as a URL. See the following important notes.

Important Notes About Validation Responder OCSP Interface

  • The Validation Responder offers OCSP services over both the HTTP and HTTPS protocols.

  • The Validation Responder uses ports 80 and 3502 for requests over HTTP and ports 443 and 3602 for requests over SSL.

  • The OCSP service is available at the following URLs (where the Validation Responder has the hostname myserver):

    http://myserver/

    https://myserver/

Since all OCSP responses are cryptographically protected with signatures generated by Validation Authority, you must use HTTP for OCSP to avoid SSL performance overhead.

Types of OCSP Requests to Be Relayed

  1. If you want the Validation Responder to relay OCSP requests that contain a nonce, then select the Relay requests containing nonces option. By default, this option is not selected.

    Nonces can be included in OCSP requests to cryptographically bind an OCSP response to the request. When responding to a request that includes a nonce, the server must sign the response including the nonce. Since Validation Responder cannot create signatures, OCSP requests that include a nonce must be relayed (if the response is to include the appropriate nonce).

    If relaying is not enabled, then the Validation Responder services the request, but no nonce is included in the response. The client must decide whether or not to accept the response.

  2. If you want the Validation Responder to relay OCSP requests querying a certificate of unknown status with a known issuer, but there is no pre-generated response, then select the Relay requests when the CA is known but there is no pregenerated response available option. By default, this option is not selected.

    This situation can occur when a Certificate Authority issues certificates that do not use sequential serial numbers.

  3. If you want the Validation Responder to relay OCSP requests querying the status of more than one certificate, then select the Relay requests querying the status of more than one certificate option.

    The status of all queried certificates must be included in a single signed response. Thus, the Validation Responder cannot service these requests using pre-generated OCSP responses. By default, this option is not selected.

  4. Click Next.

    • When the Validation Responder cannot service an OCSP request using pregenerated OCSP responses, it can relay the request to another server.

    • When more than one relay URL is configured, each URL will be queried in the order listed on this page until a definitive response is found or all URLs have been queried.

    • When a URL is associated with a certificate issuer, an OCSP request will only be relayed to that URL if it queries the status of a certificate issued by that certificate issuer. Such requests will be relayed regardless of the relaying options if no pregenerated OCSP response is available.

  5. Enter a new URL.

  6. Optionally, browse for the certificate Issuer.

  7. Click Add Relay URL, and then click Next.