OCSP: How does verifier know which OCSP server to use?

Question

I had trouble confirming this online- Are the OCSP server URLs specified in the X509 certificate of the CA, like CRLs, or must they specified out of band by the network administrator? How does the verifier know which OCSP server to use to verify a given certificate (assuming we have its certificate path)?

Answer 1

The Authority Information Access (AIA) details in an X.509 certificate will describe the location of the OCSP server.

The certificate authority that issued the certificate will had added the OCSP information to the certificate issued to the entity. The requester of the certificate has no choice over this and thus cannot hide the presence of the OCSP server.

OCSP clients can parse the certificate, note the presence of an OCSP AIA entry and make the validation request.