What should you run on Server1?

Answer = C
http://technet.microsoft.com/en-us/library/cc770413%28v=ws.10%29.aspx
http://blogs.technet.com/b/askds/archive/2009/06/30/implementing-an-ocsp-responder-part-iv-configuring-ocsp-for-use-with-standalone-cas.aspx

All of the articles on OCSP seems to reference certutil -setreg a number of times so I agree with C

Have anyone else had the same answer combinations that Aahna had? This is the new variation of this question and in IMO the correct answer here is “C. Configure security for OSCP signing certificate template”.
I have read the technet articles and this is very confusing. It mentions the need of using the cmd certutil with the -setreg parameter for those cases in which you are using a 2003 CA server, which is not the case in any of the questions that I have come across.
Could anybody take a look at this please?

Since we’re talking about a stand-alone CA in the question, correct answer is C. Even for Aahna’s question with different options, the answer is the same “The certutil.exe command and specify the -setreg parameter” since it’s about a stand-alone CA, if we were talking about a Enterprise CA then the answer would be “configure security for OCSP signing certificate template” in Aahna’s options.

Reference:

https://technet.microsoft.com/en-us/library/cc770413(v=ws.10).aspx

Configuring the OCSP Response Signing certificate template
Starting in Windows Server 2008, a new certificate template is added to the available templates in Active Directory Domain Services (AD DS). The new template, named OCSP Response Signing, is a version 3 template preconfigured with the required extensions and attributes listed previously. No modifications are required to the template or to the CA.
Figure 13 illustrates the flow that determines the behavior of the policy module in Windows Server 2008 when processing a request for the OCSP Response Signing certificate.
Figure 13: OCSP Response Signing Certificate Request Processing

The EDITF_ENABLEOCSPREVNOCHECK flag is a new CA registry flag introduced in the Windows Server 2008–based CA. The new flag, which is not enabled by default, allows the CA policy module to issue certificates that include the id-pkix-ocsp-nocheck extension. The new OCSP Response Signing template includes an additional flag as well, named CT_FLAG_ADDREVNOCHECK, which instructs the policy module to add the id-pkix-ocsp-nocheck extension. If either the EDITF_ENABLEOCSPREVNOCHECK flag is enabled or the template includes the CT_FLAG_ADDREVNOCHECK flag, the policy module will search for an OCSP Signing EKU in the request and in the template. If both conditions are met, the policy module will add the id-pkix-ocsp-nocheck extension and will remove the authority information access and CRL distribution point extensions from the certificate. This flow allows the Windows Server 2008–based CA to issue an OCSP Response Signing certificate from an enterprise CA as well as from a stand-alone CA.
If an enterprise CA is used, no additional configuration is required except for enabling the CA to issue certificates based on the OCSP Response Signing template. If a stand-alone CA is used, the following commands should be used to enable or disable the EDITF_ENABLEOCSPREVNOCHECK flag on the CA.
To enable the flag, run the following command:
certutil -v -setreg policy\editflags +EDITF_ENABLEOCSPREVNOCHECK
To disable the flag, run the following command:
certutil –v –setreg policy\editflags –EDITF_ENABLEOCSPREVNOCHECK
After enabling or disabling the flag, the CA should be restarted for the changes to take effect.