I have generated my private Root CA and then Intermediate CA which is being used for signing certificates rather than directly RootCA. Now I want to setup OCSP server hence have certain queries.
- Since I am using Intermediate CA, shall I use Int CA to generate CSR and generate CRT? Or Root should be used for generating OCSP crt? I am planning to cater around 400-500 servers servers certificate hence wondering if one ocsp server shodul suffice my need to check for revocation? Can anyone tell me if directly nginx can be used for setting ocsp server or need to us openssl ocsp api only?
you normally would use an dedicated Int CA for generating the CSR. The Root is like an holly grail and should be keep in an save location preferable offline. Once OCSP Server is can handle it as long as you do not need HA. But not the server count is important but how many clients you expect since not all of them can handle OCSP-Stappling. You certently need openssl api since nginx will not handle the crypto stuff out of the box.