I don't think the first option is not available in my environment... the CA's will have no direct access from the internet, which is part of the reason we are using the OCSP responder.
The second option is not favored because I beleive it would require distributing the OCSP responder certificate to all the client applications.
Which leaves the third option. I have tried going through the wizard in pkiconsole on the OCSP responder and creating OCSP signing certificate requests for each of the CA's we are using, requesting them using the Manual OCSP Manager Signing Certificate profiles on each CA and loading the signed cert back in through the wizard. But whenever it sends an OCSP response it does not seem to pick the right key to sign the response. Is there some step I am missing to link a keys with CA's? Is this even supported in Dogtag?
Any help or pointers would be appreciated.
Thanks