hi all, another question for you
2-tier PKI hierarchy with an offline root and 2 subordinate Enterprise CA's in different domains (also different forests, lets call them domain1 and domain2).
We have an OCSP array in domain1 and that all works well. We are now looking to set up domain2 to also use OCSP. I think there are two main scenarios we can pursue
1) Install a new OCSP server in domain2
2) Create a new revocation config in the OCSP server in domain 1
Option 2 is our preference although I'm sure option 1 is technically a better solution (we have some internal reasons to want to keep it to one OCSP server). So creating the config for the new domain seems easy enough, but how do install an OCSP signing certificate from domain2 to the OCSP server in domain1? Will it be a manual enrolment (and if so, what about the validity period then? If it's set to the 2 week default we would have to manually renew every 2 weeks, any issue increasing it?).
thanks in advance!