My question is wheter or not I still need to configure the following AIA location on my subordinate CA when I'm using OCSP:
http://SERVERFQN/DIRECTORY/<Serverdnsname>_<Caname><Certificatename>.crt
With the flag "include in AIA of issued certificates" enabled.
Or will http://SERVERFQDN/OCSP with the OCSP flag suffice?
The two provide different services, described in RFC 5280 Section 4.2.2.1
id-ad-caIssuer is a extension which allows clients to find the CA certificate when servers have been incorrectly configured, thereby allowing them to build the certificate chain. Servers should send the full chain (less Root certificate) to the client during handshakes as specified in RFC 5246 Section 7.4.2, but if they don't, this extension helps.
id-ad-ocsp extension points clients to the OCSP responder which they can use to check the revocation status of the certificate.
