OCSP
Last updated
Was this helpful?
Last updated
Was this helpful?
Linux: AppConfig__OCSP__UseAuthorizedResponder
Value: true or false (default)
Description: If this is set to false or not set, the CA certificate will sign OCSP Responses. It is the simpler approach.
If it is set to true, SCEPman will dynamically issue an to sign OCSP Responses. This Authorized Responder has a short validity and a new certificate will be issued automatically whenever needed. The certificate along with its private key will be held in memory only, so there is no need for SCEPman administrators to manage the Authorized Responders certificate. This reduces the dependency on Key Vault, improving response times and availability, and is one method to avoid the that might otherwise affect larger SCEPman installation (> ~50k users).
Linux: AppConfig__OCSP__AuthorizedResponderValidityHours
Value: Floating point value (24.0 as default)
Description: This is only applicable if you enable the Authorized OCSP Responder by setting UseAuthorizedResponder to true. This value determines the expiration date of the Authorized OCSP Responder certificate. By default, it expires one day after issuance. Note that due to the setting , the issuance date is backdated and therefore the actual validity is usually two days (one into the past, one into the future).
Linux: AppConfig__OCSP__CacheTimeOutSecondsIfDeviceExists
Value: Integer (600 as default)
Therefore, the value determines the maximum delay between a certificate revocation and when a system caching an OCSP response actually treats a certificate as revoked. A lower number might increase the number of OCSP requests and therefore the load on SCEPman.
Linux: AppConfig__OCSP__CacheTimeOutSecondsIfDeviceIsDisabled
Value: Integer (300 as default)
The setting has no influence on permanently revoked certificates. Their OCSP response have long validities, as their revocation status cannot change anymore.
Therefore, the value determines the maximum delay between restoring a certificate's validity (e.g. by enabling a device in Entra ID) and effectively cancelling the revocation on a system caching an OCSP response.
Description: This is the validity in seconds of OCSP Responses for valid certificates. Technically, an OCSP Response can be re-used within its validity if no is used, e.g. by a proxy or an internal SCEPman cache. On some systems like Windows, the OCSP Response is stored in a client cache for its validity period, and when checking for a certificate's validity, a new OCSP Request will only be send when there is no valid OCSP Response already in the cache.
Description: This is the validity in seconds of OCSP Responses for disabled certificates, i.e. that have the On Hold revocation status. These certificates are revoked, but could become valid again. Examples are device certificates for devices that are disabled in Entra Id, or user certificates for .