OCSP Prerequisites

Set up the following components to use OCSP for certificate validation:

Set up an OCSP responder.
Store an OCSP trusted responder certificate in the certificate data store. The responder certificate validates the signature of an OCSP response returned to CA SiteMinder® Federation Standalone. This certificate is a single trusted verification certificate or a collection of certificates.
Obtain these certificates from your CA in a communication that is separate from an OCSP transaction.

CA SiteMinder® Federation Standalone can work with any OCSP response that is signed using SHA-1 and the SHA-2 family of algorithms (SHA224, SHA256, SHA384, SHA512).

The OCSP responder can include the signature verification certificate with the response. CA SiteMinder® Federation Standalone then validates the certificate and the response signature with the trusted certificate in the certificate data store.

If a signature verification certificate is not in the response, CA SiteMinder® Federation Standalone verifies the signature with the certificate or collection of certificates in the certificate data store.

You configure OCSP in the Administrative UI and are required to specify the location of the certificate or the collection of certificates.
Store the CA certificate that issued the user certificate in certificate data store. This CA certificate validates the user certificate.
(Optional) Store the private key/certificate pair that CA SiteMinder® Federation Standalone uses to sign the OCSP request is in the certificate data store.