How can an OCSP Responder be configured to respond with its certificate chain
Can an OCSP responder be configured to return the complete certificate chain in its response and not just its certificate?
Specifically if the OCSP responder has a certificate for an intermediate CA and providing revocation status for that CA with an auto enrolled certificate using the OCSP Response template.
September 10th, 2012 6:22pm
Hi Steve,
Thanks for posting in Microsoft TechNet forums.
Please check the "Building the OCSP Signing Certificate Chain" part of the article below to see if it can be helpful to you:
Support for Independent OCSP Signer and Custom OCSP URLs
http://technet.microsoft.com/en-en/library/ee619784(v=ws.10).aspx
Regards
Kevin
Free Windows Admin Tool Kit Click here and download it now
September 10th, 2012 10:34pm
Hi Steve,
Thanks for posting in Microsoft TechNet forums.
Please check the "Building the OCSP Signing Certificate Chain" part of the article below to see if it can be helpful to you:
Support for Independent OCSP Signer and Custom OCSP URLs
http://technet.microsoft.com/en-en/library/ee619784(v=ws.10).aspx
Regards
Kevin
September 10th, 2012 10:43pm
Can an OCSP responder be configured to return the complete certificate chain in its response and not just its certificate?
Specifically if the OCSP responder has a certificate for an intermediate CA and providing revocation status for that CA with an auto enrolled certificate using the OCSP Response template.
unfortunately, Windows OCSP Responder cannot return entire certificate chain. Instead, you should install all intermediate certificates on the client. Since (usually), OCSP signing certificate is signed by the same CA as certificate to be verified, there should
not any issues with chain building.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
September 11th, 2012 3:16am
Can an OCSP responder be configured to return the complete certificate chain in its response and not just its certificate?
Specifically if the OCSP responder has a certificate for an intermediate CA and providing revocation status for that CA with an auto enrolled certificate using the OCSP Response template.
unfortunately, Windows OCSP Responder cannot return entire certificate chain. Instead, you should install all intermediate certificates on the client. Since (usually), OCSP signing certificate is signed by the same CA as certificate to be verified, there should
not any issues with chain building.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
September 11th, 2012 3:24am