OCSP

AppConfig:OCSP:UseAuthorizedResponder

Value: true or false (default)

Description: If this is set to false or not set, the CA certificate will sign OCSP Responses. It is the simpler approach.

If it is set to true, SCEPman will dynamically issue an Authorized Responder certificate to sign OCSP Responses. This Authorized Responders has a short validity and a new certificate will be issued automatically whenever needed. The certificate along with its private key will be held in memory only, so there is no need for SCEPman administrators to manage the Authorized Responders certificate. This reduces the dependency on Key Vault, improving response times and availability, and is one method to avoid the Key Vault throttling limit that might otherwise affect larger SCEPman installation (> ~50k users).

AppConfig:OCSP:AuthorizedResponderValidityHours

Value: Floating point value (24.0 as default)

Description: This is only applicable if you enable the Authorized OCSP Responder by setting UseAuthorizedResponder to true. This value determines the expiration date of the Authorized OCSP Responder certificate. By default, it expires one day after issuance. Note that due to the setting AppConfig:ValidityClockSkewMinutes, the issuance date is back-dated and therefore the actual validity is usually two days (one into the past, one into the future).

AppConfig:OCSP:CacheTimeOutSecondsIfDeviceExists

Value: Integer (600 as default)

Description: This is the validity in seconds of OCSP Responses for valid certificates. Technically, an OCSP Response can be re-used within its validity if no OCSP Nonce is used, e.g. by a proxy or an internal SCEPman cache. On some systems like Windows, the OCSP Response is stored in a client cache for its validity period, and when checking for a certificate's validity, a new OCSP Request will only be send when there is no valid OCSP Response already in the cache.

Therefore, the value determines the maximum delay between a certificate revocation and when a system caching an OCSP response actually treats a certificate as revoked. A lower number might increase the number of OCSP requests and therefore the load on SCEPman.

AppConfig:OCSP:CacheTimeOutSecondsIfDeviceIsDisabled

Value: Integer (300 as default)

Description: This is the validity in seconds of OCSP Responses for disabled certificates, i.e. that have the On Hold revocation status. These certificate are revoked, but could become valid again. Examples are device certificates for devices that are disabled in Entra Id, or user certificates for users with a high user risk score.

The setting has no influence on permanently revoked certificates. Their OCSP response have long validities, as their revocation status cannot change anymore.

Therefore, the value determines the maximum delay between restoring a certificate's validity (e.g. by enabling a device in Entra ID) and effectively cancelling the revocation on a system caching an OCSP response.