The following options are available for selecting a revocation configuration signing certificate:

  • The default option, Automatically select a signing certificate, will generally meet most organization's needs. This option allows the revocation configuration setup process to identify a suitable signing certificate in the local certificate store. However, if you also enable an option to automatically enroll for a signing certificate, the Online Responder service will enroll for and use that signing certificate.

  • When selecting Manually select a signing certificate, the Online Responder will not assign any signing certificate and the user will have to manually select a signing certificates for each of the Online Responder Array members.

  • Use the CA certificate for the revocation configuration can be selected if the Online Responder is installed on the same computer as the certification authority (CA).


The default installation of Online Responder services does not allow for automatic enrollment of the Online Certificate Status Protocol (OCSP) Response Signing certificate from a hardware security module (HSM) that requires interaction from the user. If you need to use an HSM to distribute OCSP Response Signing certificates, you must modify the Online Responder service to run as Local System with interaction enabled. In addition, on the Signing tab of the Online Responder Properties page, the Do not display UI for cryptographic operations check box must be cleared.

Additional references