OCSP Responders


Used for delegation of OCSP response signing to a non-CA key pair.
Name Issuer Serial Number Crypto Token Current Key Pair Next Key Pair Status Active Actions

Create new...

Set Default Responder

Enable nonce extension in OCSP replies from CAs

Responder ID Type for CAs

Enable OCSP signing cache update

Enable cache headers for unauthorized responses

Default Validity Times

The following values are used as global defaults, and are enacted for CA's responding to their own OCSP requests without the help of an OCSP Signer.
Response Validity (Seconds)
Default response validity, used for CAs signing their own responses or when not set in the aliases. 0 means that no validity is set. Note that a validity is required for pre-produced OCSP responses.
Max-Age HTTP header (Seconds)
Default caching time in the response HTTP headers. Used for CAs signing their own responses or when not set in the aliases. 0 means that no time is set, and ignored if the Response Validity is set to 0. Note that for responses of certificates with unknown status, the HTTP response header "Cache-control" will not contain the max age, but "no-cache, must-revalidate" instead. That is to prevent caching of UNKNOWN statuses.
Use Max-Age for Expired Responses
Base cache header on max-age instead of than nextUpdate for expired entities globally. Only used if Max-Age is set to other than 0. Note that this is not in compliance with RFC 5019.

OCSP Audit and Transaction Logging

© 2002–2025. EJBCA® is a registered trademark.