A Discretionary CA is created by providing XenMobile with a CA
certificate and the associated private key. XenMobile will handle certificate
issuance, revocation, and status information internally, according to the
parameters you specify. However, XenMobile will never store the private keys of
issued certificates, and so will not offer escrow services. Status information
for certificates issued by a discretionary CA.
When configuring a Discretionary CA, you will have the option to
activate OCSP support for that CA. If, and only if, OCSP support is enabled,
the CA will add an id-pe-authorityInfoAccess extension to the certificates it
issues, pointing to XenMobile ’s internal OCSP Responder located at:
When configuring the OCSP service, you will have to specify an OCSP
signing certificate for the Discretionary Entity in question. You can use the
CA certificate itself as the signer. If you wish to avoid the unnecessary
exposure of your CA’s private key (recommended), you will have to create a
delegate OCSP signing certificate, signed by the CA certificate and including
an id-kp-OCSPSigning extendedKeyUsage extension.
The XenMobile OCSP Responder service supports Basic OCSP responses and
the following hashing algorithms in requests:
Responses are signed with SHA-256 and the signing certificate’s key
algorithm (DSA, RSA or ECDSA).