What is the OCSP signing cert and key? Who should issue it?

What is the OCSP signing cert and key? Who should issue it?

So, if I have this:

• Example Root Certificate Authority
• Example Intermediate Certificate Authority
• *.example.com (any domain)

I have setup the OCSP for the domain cert only, so the OCSP url is http://ocsp.example.com.

Now, I learnt to run an OCSP server with openssl:

openssl ocsp -host 127.0.0.5 -port 80 -rsigner "what_cert?.crt" -rkey "what_cert?.key" -CA "root_or_intermediate_which_one?.crt" -text -index certindex -ignore_err

^{127.0.0.5 points to ocsp.example.com}

Now in that command, I learnt that those two are ocsp signing certs and keys:

openssl ocsp -host 127.0.0.5 -port 80 -rsigner "ocsp.crt" -rkey "ocsp.key" -CA "root_or_intermediate_which_one?.crt" -text -index certindex -ignore_err
                                                                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                                                should it be the ROOT or the INTERMEDIATE?

Now, the next question is what is the OCSP signing certificate and key? Who should issue it?

Finally, these are the questions, I have setup OCSP for the domain cert only, so let me get appropriate instructions for it:

• What should be the -CA option? Should it be the ROOT or the INTERMEDIATE?
• What is the OCSP signing certificate and key, and who should issue it? (And if you can help me, please also let me know how to issue it using OpenSSL)

Single OCSP server can provide OCSP services for multiple CAs. To distinguish the target CA the incoming request is for, OCSP implements a revocation profile (or configuration) where CA name ID or key ID (later is preferred) is used as profile identifier. And for each profile you need a signing certificate issued by same CA as referenced by profile identifier.

In your example, you have two CAs for which you may want to create OCSP revocation profiles:

• Root CA:

openssl ocsp -host 127.0.0.5 -port 80 -rsigner "ocsp_sig_root.crt" -rkey "ocsp_sig_root.key" -CA "root.crt" -text -index certindex -ignore_err

where ocsp_sig_root.crt is the OCSP signing certificate signed by root CA (AKI extension in signing cert MUST match SKI in root.crt file). ocsp_sig_root.key is a key associated with ocsp_sig_root.crt.

• Intermediate CA:

openssl ocsp -host 127.0.0.5 -port 80 -rsigner1 "ocsp_sig_subca.crt" -rkey1 "ocsp_sig_subca.key" -CA1 "subca.crt" -text -index1 certindex1 -ignore_err

where ocsp_sig_subca.crt is the OCSP signing certificate signed by intermediate CA (AKI extension in signing cert MUST match SKI in subca.crt file). ocsp_sig_subca.key is a key associated with ocsp_sig_subca.crt. You most likely will want only this. There is very little value in implementing OCSP for root CAs since their cert issuance/revocation is extremely low and CRL is more efficient.

That is, OCSP will have separate signing certificate for each CA the OCSP serves.