The following options are available for selecting a revocation configuration signing certificate:
- The default option, Automatically select a
signing certificate, will generally meet most organization's
needs. This option allows the revocation configuration setup
process to identify a suitable signing certificate in the local
certificate store. However, if you also enable an option to
automatically enroll for a signing certificate, the Online
Responder service will enroll for and use that signing
certificate.
- When selecting Manually select a signing
certificate, the Online Responder will not assign any signing
certificate and the user will have to manually select a signing
certificates for each of the Online Responder Array members.
- Use the CA certificate for the revocation
configuration can be selected if the Online Responder is
installed on the same computer as the certification authority
(CA).
Note | |
The default installation of Online Responder services does not allow for automatic enrollment of the Online Certificate Status Protocol (OCSP) Response Signing certificate from a hardware security module (HSM) that requires interaction from the user. If you need to use an HSM to distribute OCSP Response Signing certificates, you must modify the Online Responder service to run as Local System with interaction enabled. In addition, on the Signing tab of the Online Responder Properties page, the Do not display UI for cryptographic operations check box must be cleared. |