Skip to main content
Integrate the Microsoft Online Responder (OCSP) with CryptoHub to protect the OCSP response signing key in the HSM. The Online Certificate Status Protocol (OCSP) provides real-time certificate revocation status over HTTP, allowing clients to check whether a single certificate has been revoked without downloading a full Certificate Revocation List (CRL). The Microsoft Online Responder is the Windows Server implementation of OCSP, installed as a role service of Active Directory Certificate Services (AD CS) and served to clients through Web Server (IIS). It complements CRLs rather than replacing them: the Online Responder downloads the CA’s published CRL and answers per-certificate OCSP queries on its behalf. This guide covers both Standalone CA and Enterprise CA configurations, with the Online Responder and IIS installed on a dedicated Windows Server that is separate from the CA server. Running the Online Responder on a server separate from the CA is the recommended production architecture; installing it on the same server as the CA is supported, but is not recommended for production environments.

Key features

This integration has the following features:
  • Real-time revocation status: The Online Responder answers per-certificate OCSP queries over HTTP, giving clients a fast, current revocation answer instead of requiring them to download and parse a full CRL.
  • Complements CRL and CDP: The Online Responder consumes the CA’s published CRL and serves OCSP responses alongside the CRL Distribution Point (CDP), so the AIA OCSP URL and the CDP CRL URL embedded in issued certificates work together.
  • HSM-protected signing key via Futurex FXCL KMES CNG: The OCSP response signing key is generated and held in CryptoHub through the Futurex FXCL KMES CNG provider, so the Online Responder signs responses without the private key ever leaving the HSM.
  • Supports Standalone and Enterprise CA: The guide documents both CA types — Standalone CA enrollment using an INF file and certreq, and Enterprise CA enrollment from an Active Directory certificate template.
  • RSA and ECC signing keys: The OCSP signing key can be an RSA or an ECC (ECDSA) key, with the algorithm kept consistent across the INF, the certificate template, and the test certificate.

Benefits of CryptoHub integration through CNG

Integrating with CryptoHub provides the following benefits:
  • HSM-protected signing key: The OCSP response signing key is generated as a non-exportable key inside CryptoHub through the Futurex FXCL KMES CNG provider, so the private key never leaves the HSM and cannot be extracted from the OCSP server.
  • Signing operations inside the HSM: Every OCSP response is signed in the HSM. The certutil -repairstore link and the Signature test passed confirmation verify that the installed signing certificate is bound to its HSM-resident key before the Online Responder is brought online.
  • Compliance advantage: Keeping the OCSP signing key in a CryptoHub helps you meet stringent regulatory requirements for secure key management, such as FIPS 140-2 or other industry-specific standards.
  • Centralized key management: Using a CryptoHub centralizes the storage and management of cryptographic keys, making them easier to manage and more secure against potential threats.
  • Operational resilience: CryptoHub has high availability and failover capabilities, ensuring that revocation responses remain available and reliable.