In dealing with several HSM vendors for PKI planning, they all seem to licensebased, in part, on the number of clients in the PKI hierarchy that communicate with it.If I have two load balanced OCSP's with no other roles, do these "communicate" with the HSM? Same quesiton forHTTP CDP servers that have no other roles.

A HSM stores the CA's private keys. That's all. The HSM isinvolved when a CA needs its private key to sign a cert or CRL.But I say this without knowing how MS OSCP Online Responder works in details. Guess if u put the responders private signingkey on the HSM then u have another scenario.

Hi,This depends on whether you want use HSM for OCSP signing. As for HTTP CDP their prupose is to publish CRL toyour usersby using HTTP protocol. There is no need to use HSM here.Best regardsMartin Rublik

Thanks!