Revocation Provider Signing

Applies To: Windows Server 2008 R2

The Signing tab on the Online Responder Properties page shows the hash algorithm that is used to help verify signing operations for Online Responder responses to clients.

The following signing options can be configured:

  • Do not prompt for credentials for cryptographic operations. If the signing key is strongly protected by an additional password, selecting this option means the Online Responder will not prompt the user for the password and will fail silently.


Do not select this option if a hardware security module (HSM) is used to protect private keys.

  • Automatically use renewed signing certificates. Instructs the Online Responder to automatically use renewed signing certificates without asking the Online Responder administrator to manually assign them.

  • Enable NONCE extensions support. Instructs the Online Responder to inspect and process an Online Certificate Status Protocol (OCSP) request that includes a nonce extension. If a nonce extension is included in the OCSP request and this option is selected, the Online Responder will ignore any cached OCSP response and will create a new response that includes the nonce provided in the request. If this option is disabled and a request that includes a nonce extension is received, the Online Responder will reject the request with an "unauthorized" error.


The Microsoft OCSP client does not support the nonce extension.

  • Use any valid OCSP signing certificate. By default, the Online Responder will only use signing certificates that are issued by the same certification authority (CA) that issued the certificate being validated. This option allows modifying the default behavior and instructs the Online Responder to use any valid existing certificate that includes the OCSP Signing EKU extension.


Clients running versions of Windows earlier than Windows Vista with Service Pack 1 (SP1) do not support this option, and certificate status requests from these clients will fail if this option is selected.

The following Online Responder identifier options can be used to select whether to include the key hash or the subject of the signing certificate in the response:

  • Key hash of the signing certificate. Some cryptographic service providers (CSPs) require the key hash of the signing certificate in order to access private keys.

  • Subject of the signing certificate. Some CSPs require the subject of the signing certificate in order to access private keys.

Additional references