How can an OCSP Responder be configured to respond with its certificate chain
Can an OCSP responder be configured to return the complete certificate chain in its response and not just its certificate? Specifically if the OCSP responder has a certificate for an intermediate CA and providing revocation status for that CA with an auto enrolled certificate using the OCSP Response template.
September 10th, 2012 6:22pm
Hi Steve, Thanks for posting in Microsoft TechNet forums. Please check the "Building the OCSP Signing Certificate Chain" part of the article below to see if it can be helpful to you: Support for Independent OCSP Signer and Custom OCSP URLs http://technet.microsoft.com/en-en/library/ee619784(v=ws.10).aspx Regards Kevin
Free Windows Admin Tool Kit Click here and download it now
September 10th, 2012 10:34pm
Hi Steve, Thanks for posting in Microsoft TechNet forums. Please check the "Building the OCSP Signing Certificate Chain" part of the article below to see if it can be helpful to you: Support for Independent OCSP Signer and Custom OCSP URLs http://technet.microsoft.com/en-en/library/ee619784(v=ws.10).aspx Regards Kevin
September 10th, 2012 10:43pm
Can an OCSP responder be configured to return the complete certificate chain in its response and not just its certificate? Specifically if the OCSP responder has a certificate for an intermediate CA and providing revocation status for that CA with an auto enrolled certificate using the OCSP Response template. unfortunately, Windows OCSP Responder cannot return entire certificate chain. Instead, you should install all intermediate certificates on the client. Since (usually), OCSP signing certificate is signed by the same CA as certificate to be verified, there should not any issues with chain building.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
September 11th, 2012 3:16am
Can an OCSP responder be configured to return the complete certificate chain in its response and not just its certificate? Specifically if the OCSP responder has a certificate for an intermediate CA and providing revocation status for that CA with an auto enrolled certificate using the OCSP Response template. unfortunately, Windows OCSP Responder cannot return entire certificate chain. Instead, you should install all intermediate certificates on the client. Since (usually), OCSP signing certificate is signed by the same CA as certificate to be verified, there should not any issues with chain building.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
September 11th, 2012 3:24am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics