Hi I have a win 2008 R2 enterprise PKI architecture with a CA and a dedicated OCSP responder. I've set the responder to access the CRL from AD LDAP and in the Online Responder utility, it shows that the revocation configuration is working fine. The problem is that when I revoke a certificate, republish the CRL and send an OCSP request to verify the revoked certificate's status, I still get the "good" response. I have tried changing the CRL refresh period in Online Responder utility to 5 minutes and changed the value of web cache to 1 but still no success and I won't get "revoked" response unless I refresh the revocation data on the online responder manually. I have checked the AD LDAP using softerra LDAP browser and the new CRL is being published and the revoked certificates exists in the CRL. it seems the Online Responder does not check for new CRLs. Thanks in advance

OCSP Responder maintains it's own internal cache for CRLs. Depending on revocation configuration a cached CRL may be used till it expire (OCSP Responder will not lookup for newer CRLs until existing is expired). You can adjust cache refresh to a smaller period (this is configured in revocation provider tab where you configure CRL URLs).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

yes. As I said in my previous post I've set the cache refresh period to the smallest period possible, 5 minutes. but still Online Responder does not check the CRL

Yes you set it to check every five minutes, but it has cached a response that is good for the TTL of the CRL it based its decision on. Thing of OCSP responses as mini-CRLs. Once you have a response, you will cache it at the client for the remainder of its TTL. Turning these up to every 5 minutes will not work if you are testing from the same client. It will help a *new* client, but not an existing. Brian

The problem is solved. It seems that it was caused by the OS clock times of OCSP Responder, CA and client not being synchronized. after setting the "cache entries" value to 1 and synchronizing OS clocks, I could get the "revoked" response after maximum of five minutes even from the same client.