Q: How is the OCSP response database used?

A: The responder creates OCSP responses for the certificates issued by one CA using the CRL from this CA and puts them together in a file which is send to Repeaters. The Repeater uses the responses from this file to answer OCSP requests.

Q: How does Responder pre-compute an OCSP response database?

A: The Responder creates OCSP responses for all certificates of one CA which serial numbers lie in a given range. The response “revoked” is If the serial number of a certificate is on the CRL of this CA and “good” otherwise.

Q: What is the difference between using a relative and an absolute range for the pre-computation?

A: When the Responder is configured to pre-compute the OCSP responses in the given absolute range it will begin the computation with the serial number given as “Range start” and end with the serial number given as “Range end”.

But when it is configured to use a relative range the Responder will look at all serial numbers in the CRL and determine the lowest and the highest. Then the OCSP responses will be computed beginning with the lowest serial number in the list minus the value of “Range start” and end with the highest serial number in the CRL plus the value of “Range end”.

Q: What does the repeater do when a response is not contained in the database?

A: A Repeater cannot create an OCSP response on its own. So, if a response is not available in the pre-computed database or in the cache, the request is proxied to another Repeater or a Responder. A response is sent back to the client and is stored in the Repeater cache for serving future requests as long as the response does not contain a nonce tying it to a specific request.

Q: What are the advantages of the setting “only compute bad responses”?

A: This setting allows you to create an OCSP response database when a CA uses large random serial numbers. In this case it is not reasonable or even doable to create a response database which contains all serial numbers in the range of the ones contained in the CRL.

Q: What can you do when you get the error: “maximum pre-computation range is exceeded”

A: That depends, when the message is like “Maximum pre-computation range exceeded. Computed Range = 5389075, Maximum allowed range = 4000000” you can increase the range by changing the value of “Maximum Pre-computation OCSP Limit” which you can find under “Server Settings” – “General Settings” section “VA Responder Settings”.

But when the error message looks like “Maximum pre-computation range exceeded. Computed Range = 154003278391423734917970130078416060275, Maximum allowed range = 4000000” it is not possible to create an OCSP response database at all. In this case the CA is issuing certificates with large random serial numbers and there is no way to pre-compute all responses in this range. This also would not make sense because less than 1% of these responses would be really used.