We work with external customers and install thier root CAs so that when we can trust their smime certificates, but i'm noticing that when running outlook 2007 (32bit) on Windows 7 (64bit) that our clients are not using the OCSP location when checking the revocation status of certificates from external entities. instead i see network traffic going to the external CRL servers. This is a problem because some of the CRLs are 30-40Mb and outlook will periodically fail. I can use certutil -url C:\path\to\external\users\smime\certificate.cer and check the OCSP status and get a very quick "Retreived" status, so the issue seems to be that outlook is doing the wrong thing. Interally we are not issuing smime certificates, but we do issue client auth certificates for Exchange ActiveSync and at the Threat Management Gateway I see that server doing the right thing with out internally issued certificates. Any advise or wisdom to impart?

Hi, First of all, please verify that the URL for the Online Responder is included in the authority information access (AIA) extension of certificates issued by the CA. To implement OCSP for Previously Issued Certificates, please refer to the following article: Optimizing the Revocation Experience http://technet.microsoft.com/en-us/library/ee619783(WS.10).aspx Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.