LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • AppConfig:OCSP:UseAuthorizedResponder
  • AppConfig:OCSP:AuthorizedResponderValidityHours
  • AppConfig:OCSP:CacheTimeOutSecondsIfDeviceExists
  • AppConfig:OCSP:CacheTimeOutSecondsIfDeviceIsDisabled

Was this helpful?

  1. SCEPman Configuration
  2. SCEPman Settings

OCSP

These settings should only be applied to the SCEPman App Service, not the Certificate Master. Please refer to SCEPman Settings.

AppConfig:OCSP:UseAuthorizedResponder

Applicable to version 2.9 and above

Value: true or false (default)

Description: If this is set to false or not set, the CA certificate will sign OCSP Responses. It is the simpler approach.

If it is set to true, SCEPman will dynamically issue an Authorized Responder certificate to sign OCSP Responses. This Authorized Responders has a short validity and a new certificate will be issued automatically whenever needed. The certificate along with its private key will be held in memory only, so there is no need for SCEPman administrators to manage the Authorized Responders certificate. This reduces the dependency on Key Vault, improving response times and availability, and is one method to avoid the Key Vault throttling limit that might otherwise affect larger SCEPman installation (> ~50k users).

AppConfig:OCSP:AuthorizedResponderValidityHours

Applicable to version 2.9 and above

Value: Floating point value (24.0 as default)

Description: This is only applicable if you enable the Authorized OCSP Responder by setting UseAuthorizedResponder to true. This value determines the expiration date of the Authorized OCSP Responder certificate. By default, it expires one day after issuance. Note that due to the setting AppConfig:ValidityClockSkewMinutes, the issuance date is back-dated and therefore the actual validity is usually two days (one into the past, one into the future).

AppConfig:OCSP:CacheTimeOutSecondsIfDeviceExists

Value: Integer (600 as default)

Description: This is the validity in seconds of OCSP Responses for valid certificates. Technically, an OCSP Response can be re-used within its validity if no OCSP Nonce is used, e.g. by a proxy or an internal SCEPman cache. On some systems like Windows, the OCSP Response is stored in a client cache for its validity period, and when checking for a certificate's validity, a new OCSP Request will only be send when there is no valid OCSP Response already in the cache.

Therefore, the value determines the maximum delay between a certificate revocation and when a system caching an OCSP response actually treats a certificate as revoked. A lower number might increase the number of OCSP requests and therefore the load on SCEPman.

AppConfig:OCSP:CacheTimeOutSecondsIfDeviceIsDisabled

Value: Integer (300 as default)

Description: This is the validity in seconds of OCSP Responses for disabled certificates, i.e. that have the On Hold revocation status. These certificate are revoked, but could become valid again. Examples are device certificates for devices that are disabled in Entra Id, or user certificates for users with a high user risk score.

The setting has no influence on permanently revoked certificates. Their OCSP response have long validities, as their revocation status cannot change anymore.

Therefore, the value determines the maximum delay between restoring a certificate's validity (e.g. by enabling a device in Entra ID) and effectively cancelling the revocation on a system caching an OCSP response.

Last updated 6 days ago

Was this helpful?