The Signing tab on the Online Responder Properties page shows the hash algorithm that is used to help verify signing operations for Online Responder responses to clients.
The following signing options can be configured:
- Do not prompt for credentials for
cryptographic operations. If the signing key is strongly
protected by an additional password, selecting this option means
the Online Responder will not prompt the user for the password and
will fail silently.
Note Do not select this option if a hardware security module (HSM) is used to protect private keys.
- Automatically use renewed signing
certificates. Instructs the Online Responder to automatically
use renewed signing certificates without asking the Online
Responder administrator to manually assign them.
- Enable NONCE extensions support.
Instructs the Online Responder to inspect and process an Online
Certificate Status Protocol (OCSP) request that includes a nonce
extension. If a nonce extension is included in the OCSP request and
this option is selected, the Online Responder will ignore any
cached OCSP response and will create a new response that includes
the nonce provided in the request. If this option is disabled and a
request that includes a nonce extension is received, the Online
Responder will reject the request with an "unauthorized" error.
Note The Microsoft OCSP client does not support the nonce extension.
- Use any valid OCSP signing
certificate. By default, the Online Responder will only use
signing certificates that are issued by the same certification
authority (CA) that issued the certificate being validated. This
option allows modifying the default behavior and instructs the
Online Responder to use any valid existing certificate that
includes the OCSP Signing EKU extension.
Note Clients running versions of Windows earlier than Windows Vista with Service Pack 1 (SP1) do not support this option, and certificate status requests from these clients will fail if this option is selected.
The following Online Responder identifier options can be used to select whether to include the key hash or the subject of the signing certificate in the response:
- Key hash of the signing certificate.
Some cryptographic service providers (CSPs) require the key hash of
the signing certificate in order to access private keys.
- Subject of the signing certificate.
Some CSPs require the subject of the signing certificate in order
to access private keys.