Externalizing your OCSP service to a Validation Authority provides several benefits:

  • By separating the validation service from the CA, security is increased by allowing the CA to reside behind a firewall not allowing incoming connections, while the VA(s) reside in the DMZ.
  • Externalization of the VA allows for greater degrees of availability. Separation allows for maintenance to be performed on even unclustered CAs without any downtime on OCSP services.
  • Ensure the highest performance. Even though the OCSP responder is fast, it’s not uncommon for loads on a VA infrastructure to be extremely high at times. Several VA nodes can set up to proxy for the same CA behind a load balancer, and VA nodes can be localized geographically to ensure minimal RTT.

For more details, visit here: https://doc.primekey.com/ejbca/ejbca-introduction/ejbca-architecture/external-ocsp-responders