Online Responder Issue.
Hi,
I need help from them who has idea on Online Responder.
I had configured OCSP and CA at a 2008 machine which is a domain machine.
Now using CA i had created a user certificate and installed in my browser. Logged into our application successfully with this certificate.
After logging in i went through the log(PKI LOG) like how validation is done through online provider and observed the following log. Can anyone who has idea can please check and let me know weather the online provider is configured properly or not.
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: BC5398FF161D09D5A8176EECE706542BF6DB7A42
Issuer Key Hash: C15DBC27D002CD8A51C7250281BC3716F249E9BC
Serial Number: 158DAF2F00000000001D
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 8718B9C4C080287F690592AB9EB8EBF19832F407
Produced At: Jun 4 08:10:26 2010 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: BC5398FF161D09D5A8176EECE706542BF6DB7A42
Issuer Key Hash: C15DBC27D002CD8A51C7250281BC3716F249E9BC
Serial Number: 158DAF2F00000000001D
Cert Status: good
This Update: Jun 4 06:22:58 2010 GMT
Next Update: Jun 5 18:42:58 2010 GMT
Response Single Extensions:
1.3.6.1.4.1.311.21.4:
.
100605063258Z
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:29:5b:f5:00:00:00:00:00:03
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=com, DC=balaca, CN=balaca-MARS-CA
Validity
Not Before: Jun 3 06:47:32 2010 GMT
Not After : Jun 2 06:47:32 2012 GMT
Subject: CN=Mars.balaca.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a3:67:1e:cc:9e:e4:1b:2e:e5:c6:a4:d8:c9:43:
21:e2:12:16:d9:a1:d5:b1:b3:83:6c:9a:51:ed:25:
f1:aa:85:ca:99:e9:de:84:19:be:90:b1:19:06:4f:
e7:23:6c:d0:fd:03:30:1a:7b:88:45:28:bf:34:9d:
b2:11:06:1e:0f:e7:49:09:87:e2:ba:d2:49:68:25:
7d:9c:23:71:97:1f:91:3f:37:c4:bb:37:30:ff:45:
e0:4b:98:5f:3d:c3:5e:91:1e:b3:6f:fb:7f:d8:4b:
1a:15:a3:3f:44:a4:27:78:93:2e:54:dd:ca:65:68:
04:d9:0e:97:0c:26:2b:c7:34:46:65:c5:79:7a:0e:
45:8a:f7:f6:62:55:02:53:6c:36:95:a0:f4:11:cc:
fb:ab:d8:43:a6:de:00:8d:a3:b3:12:9a:2d:4d:fb:
17:e9:1c:d8:06:6d:68:0c:4c:c1:09:40:0d:b4:4b:
61:cc:85:78:94:0b:08:2c:3f:c6:41:d3:7d:10:f6:
49:8d:12:68:c4:5e:14:c9:49:23:3c:31:17:4c:6b:
e3:df:13:94:c1:45:74:33:ef:9b:95:4b:db:42:74:
3c:0f:29:de:8e:19:64:10:36:88:89:c2:ba:cd:b0:
d4:76:d8:a9:ba:94:2d:fc:6c:6f:02:19:8f:65:7c:
a9:83
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.7:
0..&+.....7.............4...5....w...l...Z..d...
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Key Usage: critical
Digital Signature
1.3.6.1.4.1.311.21.10:
0.0
..+.......
OCSP No Check:
X509v3 Authority Key Identifier:
keyid:C1:5D:BC:27:D0:02:CD:8A:51:C7:25:02:81:BC:37:16:F2:49:E9:BC
X509v3 Subject Key Identifier:
87:18:B9:C4:C0:80:28:7F:69:05:92:AB:9E:B8:EB:F1:98:32:F4:07
X509v3 Subject Alternative Name:
DNS:Mars.balaca.com
Signature Algorithm: sha1WithRSAEncryption
3c:86:fe:96:9c:2f:5a:71:ae:26:15:18:1b:83:10:a9:d2:03:
3f:e6:fc:77:24:f0:f4:0e:92:b9:24:d9:23:8f:02:a5:4e:85:
8d:65:a9:69:26:b6:99:98:9c:0f:19:74:41:dd:19:fd:0d:b0:
8b:91:9d:32:b9:48:b6:ca:f5:84:16:65:83:1d:65:c9:74:5e:
66:e1:04:3d:b4:89:82:55:e5:f5:3c:ce:6b:15:ed:62:d9:10:
ea:7f:90:de:ac:18:73:63:ef:8a:50:8d:8e:87:99:56:e3:43:
11:c7:0a:aa:03:1e:71:bb:43:36:36:e3:15:0d:ac:20:37:ba:
3b:62:12:26:4e:91:0a:4e:0e:c4:3d:f1:e6:26:15:61:e6:8e:
4f:40:f4:c1:63:e1:0e:2f:75:3d:75:4f:09:9d:89:5e:e7:0f:
2f:37:62:7f:62:19:e7:13:88:46:03:e4:02:d7:ed:e3:1a:ed:
b9:5c:bb:84:1f:2c:98:2c:8c:f5:74:b2:ff:1e:21:b7:fe:b9:
cb:30:8e:2d:69:8d:25:93:26:88:ac:e0:ce:b0:c0:ea:70:00:
d0:52:7a:46:3a:9f:e3:5e:da:88:2c:18:52:9d:46:db:60:5d:
f1:fb:ca:c8:12:60:45:c0:f7:62:6c:f2:25:8e:be:7a:bd:03:
b5:3b:cf:7f
-----BEGIN CERTIFICATE-----
MIID1jCCAr6gAwIBAgIKYSlb9QAAAAAAAzANBgkqhkiG9w0BAQUFADBGMRMwEQYK
CZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGYmFsYWNhMRcwFQYDVQQD
Ew5iYWxhY2EtTUFSUy1DQTAeFw0xMDA2MDMwNjQ3MzJaFw0xMjA2MDIwNjQ3MzJa
MBoxGDAWBgNVBAMTD01hcnMuYmFsYWNhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAKNnHsye5Bsu5cak2MlDIeISFtmh1bGzg2yaUe0l8aqFypnp
3oQZvpCxGQZP5yNs0P0DMBp7iEUovzSdshEGHg/nSQmH4rrSSWglfZwjcZcfkT83
xLs3MP9F4EuYXz3DXpEes2/7f9hLGhWjP0SkJ3iTLlTdymVoBNkOlwwmK8c0RmXF
eXoORYr39mJVAlNsNpWg9BHM+6vYQ6beAI2jsxKaLU37F+kc2AZtaAxMwQlADbRL
YcyFeJQLCCw/xkHTfRD2SY0SaMReFMlJIzwxF0xr498TlMFFdDPvm5VL20J0PA8p
3o4ZZBA2iInCus2w1HbYqbqULfxsbwIZj2V8qYMCAwEAAaOB8TCB7jA9BgkrBgEE
AYI3FQcEMDAuBiYrBgEEAYI3FQiEk/9/hr+MFITplzSDlK81z9QUgXeDjOVsh6eK
WgIBZAIBAzATBgNVHSUEDDAKBggrBgEFBQcDCTAOBgNVHQ8BAf8EBAMCB4AwGwYJ
KwYBBAGCNxUKBA4wDDAKBggrBgEFBQcDCTAPBgkrBgEFBQcwAQUEAgUAMB8GA1Ud
IwQYMBaAFMFdvCfQAs2KUcclAoG8NxbySem8MB0GA1UdDgQWBBSHGLnEwIAof2kF
kqueuOvxmDL0BzAaBgNVHREEEzARgg9NYXJzLmJhbGFjYS5jb20wDQYJKoZIhvcN
AQEFBQADggEBADyG/pacL1pxriYVGBuDEKnSAz/m/Hck8PQOkrkk2SOPAqVOhY1l
qWkmtpmYnA8ZdEHdGf0NsIuRnTK5SLbK9YQWZYMdZcl0XmbhBD20iYJV5fU8zmsV
7WLZEOp/kN6sGHNj74pQjY6HmVbjQxHHCqoDHnG7QzY24xUNrCA3ujtiEiZOkQpO
DsQ98eYmFWHmjk9A9MFj4Q4vdT11TwmdiV7nDy83Yn9iGecTiEYD5ALX7eMa7blc
u4QfLJgsjPV0sv8eIbf+ucswji1pjSWTJois4M6wwOpwANBSekY6n+Ne2ogsGFKd
RttgXfH7ysgSYEXA92Js8iWOvnq9A7U7z38=
-----END CERTIFICATE-----
Response verify OK
C:\SV Central\/PKI/com, balaca, Users, Administrator.cert: good
This Update: Jun 4 06:22:58 2010 GMT
Next Update: Jun 5 18:42:58 2010 GMT
June 4th, 2010 12:13pm
it looks like your OCSP responder is ok.
In addition you may check your responder by using pkiview.msc and 'certutil -url path\certificate.cer' command.
Also there is network capture method:
http://www.sysadmins.lv/PermaLink,guid,dd355e23-ba68-4ff5-a89b-26e7ff2fc089.aspx
I have posted network monitor packet example and it is similar as you posted.http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2010 12:44pm
Thanks Vadims,
I checked the responder using pkiview.msc and observed Enterprise PKI and remaining all are OK.
Again i have a new problem:
When i revoke a certificate and tried to login our application then i am able to log into our application successfully with this certificate.
Procedure followed to Revoke a certificate:
Run-->MMC-->Added Certificate Authority-->Issued Certificates--> Selected a certificate and Revoked.
Is the procedure which i had revoked the certificate is OK.
Please help me in how to revoke a certificate.
Thanks.
June 4th, 2010 2:08pm
The certificate is likely revoked, but the CRL being used has not been updated and therefore does not include the revoked certificate in its list.
Try again after the CRLs are renewed and it will most likely fail as intended.
Let us know how it works out.
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2010 2:21pm
Hi MagikD
The certificate which i had revoked is in Revoked list at Certificate Authority--> Revoked Certificates. But when i select and view the certificate then i had not observed a message as the certificate is revoked.
can u please update me.
Thanks.
June 4th, 2010 2:49pm
The certificate authority knows the certificate in question is revoked. Any relying party, client or server, needs a CRL for certificate validation. If the relying party has an old, but still valid and not expired CRL, it will use that CRL until it needs
a new one. The old valid CRL does not contain the serial number of the newly revoked certificate. A new CRL will have the serial number of the revoked certificate in its list.
If you manually updated the CRL on any of the relying parties in question, operation with the revoked certificate should show revoked status.
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2010 3:25pm
in addition to previous post. CRL's and OCSP responses are cached by clients. So even if you publish new CRL clients will not use this new CRL until cached CRL or OCSP response will expire.http://en-us.sysadmins.lv
June 4th, 2010 6:06pm
Hi vadim,
Can you please describe briefly how to revoke and check weather the particular certificate is revoked or not.
I ha revoked the certificate but when i view the certificate, it says that the certificate is OK instead it should show as Certificate Revoked.
Thanks
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2010 8:49pm
note, when you open certificate in Windows Explorer it don't check certificate for revocation, it only builds certificate chain. In order to check whether certificate is revoked or not you may use the following commands:
certutil -url path\certificate.cer
certutil -verify -urlfetch -path\certificate.cer
if you are experienced in .NET, you may check X509Chain.Build() method.http://en-us.sysadmins.lv
June 5th, 2010 9:49pm