A quick question (or two!) regarding implementing OCSP... Is it acceptable to deploy the OCSP responder to the (issuing) CA servers in a hierarchy, or is this a "no-no" and the responder should preferably be deployed to dedicated servers? As a follow up, what minimum hardware requirements are recommended for the OCSP responder server? Many thanks, Steve G

I'd prefer to deploy OCSP responder on a dedicated server. If your certificates are used in external networks (internet), OCSP should be available from both internal and external networks. OCSP Responder is "light" application and load depends on CRL size and request count.http://en-us.sysadmins.lv

Thanks for the reply, Vadims. Can OCSP be published using ISA Server for external clients when using a registered domain name in the URL, e.g. ocsp.microsoft.com? Would this remove the need for dedicated server(s), or are there other reasons to deploy dedicated server(s) for the OCSP responder? While I can see that the OCSP responder would very likely end up being virtualised, it can be difficult sometimes to justify the inclusion of extra servers, more down to available VM host resources than licensing costs, judging by my recent experience! I've recently deployed a 2-tier CA hierarchy using 2K8 R2. Both issuing CAs were virtualised and ran IIS to host the HTTP-based AIA and CDP paths. OCSP was not an option for this project, but if it was for a future project, I'd just like to be happy recommending that the issuing CAs could also host the OCSP responder, or recommending that dedicated servers are best practice. Steve G

> Can OCSP be published using ISA Server for external clients when using a registered domain name in the URL, e.g. ocsp.microsoft.com? by default this is not possible, because OCSP is installed as application in default web site (form: www.domain.com/ocsp). There is a workaround how to move OCSP to a separate web site. Check this article: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=10 (note about disclaimers). > I'd just like to be happy recommending that the issuing CAs could also host the OCSP responder, or recommending that dedicated servers are best practice. as a best practice I would recommend dedicated server.http://en-us.sysadmins.lv