Good afternoon, In the documentation (https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Importing_the_Certificate) it shows how to load externally trusted CA certificate chains with the keytool. Is there a way to specify using a specific OCSP responder URI versus using the ones listed in the certificates, either with a tomcat configuration or somehow set up locally on the OS? Our use case is that we want all clients to hit a local OCSP responder with the CRLs cached locally.
In version 21.0.5 of the Keytool, the man page mentions an ExtendedKeyUsage option for OCSPSigning, but I don’t believe that is exactly what we are looking for.