Key management section
This article describes how to configure key stores in the Nexus OCSP Responder configuration file. The respective OCSP responder must sign their responses using a key.
As the Nexus OCSP Responder is answering on behalf of the CA, compromise of the keys could have far going consequences, depending on the trust in the relationship between the CA and the Nexus OCSP Responder. Therefore you should take whatever measures necessary to protect the OCSP responder keys.
You can, for example, use Hardware Security Modules (see Set up hardware token.)
If the OCSP responder keys are compromised, there is an inherent problem in revoking them. A solution to this would be to have a very short life span for the OCSP responder certificates and have them reissued and reinstalled that often. When the keys are revoked, the CA cannot reissue the certificate any more.