Hi, I need help from them who has idea on Online Responder. I had configured OCSP and CA at a 2008 machine which is a domain machine. Now using CA i had created a user certificate and installed in my browser. Logged into our application successfully with this certificate. After logging in i went through the log(PKI LOG) like how validation is done through online provider and observed the following log. Can anyone who has idea can please check and let me know weather the online provider is configured properly or not. OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: BC5398FF161D09D5A8176EECE706542BF6DB7A42 Issuer Key Hash: C15DBC27D002CD8A51C7250281BC3716F249E9BC Serial Number: 158DAF2F00000000001D OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 8718B9C4C080287F690592AB9EB8EBF19832F407 Produced At: Jun 4 08:10:26 2010 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: BC5398FF161D09D5A8176EECE706542BF6DB7A42 Issuer Key Hash: C15DBC27D002CD8A51C7250281BC3716F249E9BC Serial Number: 158DAF2F00000000001D Cert Status: good This Update: Jun 4 06:22:58 2010 GMT Next Update: Jun 5 18:42:58 2010 GMT Response Single Extensions: 1.3.6.1.4.1.311.21.4: . 100605063258Z Certificate: Data: Version: 3 (0x2) Serial Number: 61:29:5b:f5:00:00:00:00:00:03 Signature Algorithm: sha1WithRSAEncryption Issuer: DC=com, DC=balaca, CN=balaca-MARS-CA Validity Not Before: Jun 3 06:47:32 2010 GMT Not After : Jun 2 06:47:32 2012 GMT Subject: CN=Mars.balaca.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:a3:67:1e:cc:9e:e4:1b:2e:e5:c6:a4:d8:c9:43: 21:e2:12:16:d9:a1:d5:b1:b3:83:6c:9a:51:ed:25: f1:aa:85:ca:99:e9:de:84:19:be:90:b1:19:06:4f: e7:23:6c:d0:fd:03:30:1a:7b:88:45:28:bf:34:9d: b2:11:06:1e:0f:e7:49:09:87:e2:ba:d2:49:68:25: 7d:9c:23:71:97:1f:91:3f:37:c4:bb:37:30:ff:45: e0:4b:98:5f:3d:c3:5e:91:1e:b3:6f:fb:7f:d8:4b: 1a:15:a3:3f:44:a4:27:78:93:2e:54:dd:ca:65:68: 04:d9:0e:97:0c:26:2b:c7:34:46:65:c5:79:7a:0e: 45:8a:f7:f6:62:55:02:53:6c:36:95:a0:f4:11:cc: fb:ab:d8:43:a6:de:00:8d:a3:b3:12:9a:2d:4d:fb: 17:e9:1c:d8:06:6d:68:0c:4c:c1:09:40:0d:b4:4b: 61:cc:85:78:94:0b:08:2c:3f:c6:41:d3:7d:10:f6: 49:8d:12:68:c4:5e:14:c9:49:23:3c:31:17:4c:6b: e3:df:13:94:c1:45:74:33:ef:9b:95:4b:db:42:74: 3c:0f:29:de:8e:19:64:10:36:88:89:c2:ba:cd:b0: d4:76:d8:a9:ba:94:2d:fc:6c:6f:02:19:8f:65:7c: a9:83 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.21.7: 0..&+.....7.............4...5....w...l...Z..d... X509v3 Extended Key Usage: OCSP Signing X509v3 Key Usage: critical Digital Signature 1.3.6.1.4.1.311.21.10: 0.0 ..+....... OCSP No Check: X509v3 Authority Key Identifier: keyid:C1:5D:BC:27:D0:02:CD:8A:51:C7:25:02:81:BC:37:16:F2:49:E9:BC X509v3 Subject Key Identifier: 87:18:B9:C4:C0:80:28:7F:69:05:92:AB:9E:B8:EB:F1:98:32:F4:07 X509v3 Subject Alternative Name: DNS:Mars.balaca.com Signature Algorithm: sha1WithRSAEncryption 3c:86:fe:96:9c:2f:5a:71:ae:26:15:18:1b:83:10:a9:d2:03: 3f:e6:fc:77:24:f0:f4:0e:92:b9:24:d9:23:8f:02:a5:4e:85: 8d:65:a9:69:26:b6:99:98:9c:0f:19:74:41:dd:19:fd:0d:b0: 8b:91:9d:32:b9:48:b6:ca:f5:84:16:65:83:1d:65:c9:74:5e: 66:e1:04:3d:b4:89:82:55:e5:f5:3c:ce:6b:15:ed:62:d9:10: ea:7f:90:de:ac:18:73:63:ef:8a:50:8d:8e:87:99:56:e3:43: 11:c7:0a:aa:03:1e:71:bb:43:36:36:e3:15:0d:ac:20:37:ba: 3b:62:12:26:4e:91:0a:4e:0e:c4:3d:f1:e6:26:15:61:e6:8e: 4f:40:f4:c1:63:e1:0e:2f:75:3d:75:4f:09:9d:89:5e:e7:0f: 2f:37:62:7f:62:19:e7:13:88:46:03:e4:02:d7:ed:e3:1a:ed: b9:5c:bb:84:1f:2c:98:2c:8c:f5:74:b2:ff:1e:21:b7:fe:b9: cb:30:8e:2d:69:8d:25:93:26:88:ac:e0:ce:b0:c0:ea:70:00: d0:52:7a:46:3a:9f:e3:5e:da:88:2c:18:52:9d:46:db:60:5d: f1:fb:ca:c8:12:60:45:c0:f7:62:6c:f2:25:8e:be:7a:bd:03: b5:3b:cf:7f -----BEGIN CERTIFICATE----- MIID1jCCAr6gAwIBAgIKYSlb9QAAAAAAAzANBgkqhkiG9w0BAQUFADBGMRMwEQYK CZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGYmFsYWNhMRcwFQYDVQQD Ew5iYWxhY2EtTUFSUy1DQTAeFw0xMDA2MDMwNjQ3MzJaFw0xMjA2MDIwNjQ3MzJa MBoxGDAWBgNVBAMTD01hcnMuYmFsYWNhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAKNnHsye5Bsu5cak2MlDIeISFtmh1bGzg2yaUe0l8aqFypnp 3oQZvpCxGQZP5yNs0P0DMBp7iEUovzSdshEGHg/nSQmH4rrSSWglfZwjcZcfkT83 xLs3MP9F4EuYXz3DXpEes2/7f9hLGhWjP0SkJ3iTLlTdymVoBNkOlwwmK8c0RmXF eXoORYr39mJVAlNsNpWg9BHM+6vYQ6beAI2jsxKaLU37F+kc2AZtaAxMwQlADbRL YcyFeJQLCCw/xkHTfRD2SY0SaMReFMlJIzwxF0xr498TlMFFdDPvm5VL20J0PA8p 3o4ZZBA2iInCus2w1HbYqbqULfxsbwIZj2V8qYMCAwEAAaOB8TCB7jA9BgkrBgEE AYI3FQcEMDAuBiYrBgEEAYI3FQiEk/9/hr+MFITplzSDlK81z9QUgXeDjOVsh6eK WgIBZAIBAzATBgNVHSUEDDAKBggrBgEFBQcDCTAOBgNVHQ8BAf8EBAMCB4AwGwYJ KwYBBAGCNxUKBA4wDDAKBggrBgEFBQcDCTAPBgkrBgEFBQcwAQUEAgUAMB8GA1Ud IwQYMBaAFMFdvCfQAs2KUcclAoG8NxbySem8MB0GA1UdDgQWBBSHGLnEwIAof2kF kqueuOvxmDL0BzAaBgNVHREEEzARgg9NYXJzLmJhbGFjYS5jb20wDQYJKoZIhvcN AQEFBQADggEBADyG/pacL1pxriYVGBuDEKnSAz/m/Hck8PQOkrkk2SOPAqVOhY1l qWkmtpmYnA8ZdEHdGf0NsIuRnTK5SLbK9YQWZYMdZcl0XmbhBD20iYJV5fU8zmsV 7WLZEOp/kN6sGHNj74pQjY6HmVbjQxHHCqoDHnG7QzY24xUNrCA3ujtiEiZOkQpO DsQ98eYmFWHmjk9A9MFj4Q4vdT11TwmdiV7nDy83Yn9iGecTiEYD5ALX7eMa7blc u4QfLJgsjPV0sv8eIbf+ucswji1pjSWTJois4M6wwOpwANBSekY6n+Ne2ogsGFKd RttgXfH7ysgSYEXA92Js8iWOvnq9A7U7z38= -----END CERTIFICATE----- Response verify OK C:\SV Central\/PKI/com, balaca, Users, Administrator.cert: good This Update: Jun 4 06:22:58 2010 GMT Next Update: Jun 5 18:42:58 2010 GMT

it looks like your OCSP responder is ok. In addition you may check your responder by using pkiview.msc and 'certutil -url path\certificate.cer' command. Also there is network capture method: http://www.sysadmins.lv/PermaLink,guid,dd355e23-ba68-4ff5-a89b-26e7ff2fc089.aspx I have posted network monitor packet example and it is similar as you posted.http://en-us.sysadmins.lv

Thanks Vadims, I checked the responder using pkiview.msc and observed Enterprise PKI and remaining all are OK. Again i have a new problem: When i revoke a certificate and tried to login our application then i am able to log into our application successfully with this certificate. Procedure followed to Revoke a certificate: Run-->MMC-->Added Certificate Authority-->Issued Certificates--> Selected a certificate and Revoked. Is the procedure which i had revoked the certificate is OK. Please help me in how to revoke a certificate. Thanks.

The certificate is likely revoked, but the CRL being used has not been updated and therefore does not include the revoked certificate in its list. Try again after the CRLs are renewed and it will most likely fail as intended. Let us know how it works out.

Hi MagikD The certificate which i had revoked is in Revoked list at Certificate Authority--> Revoked Certificates. But when i select and view the certificate then i had not observed a message as the certificate is revoked. can u please update me. Thanks.

The certificate authority knows the certificate in question is revoked. Any relying party, client or server, needs a CRL for certificate validation. If the relying party has an old, but still valid and not expired CRL, it will use that CRL until it needs a new one. The old valid CRL does not contain the serial number of the newly revoked certificate. A new CRL will have the serial number of the revoked certificate in its list. If you manually updated the CRL on any of the relying parties in question, operation with the revoked certificate should show revoked status.

in addition to previous post. CRL's and OCSP responses are cached by clients. So even if you publish new CRL clients will not use this new CRL until cached CRL or OCSP response will expire.http://en-us.sysadmins.lv

Hi vadim, Can you please describe briefly how to revoke and check weather the particular certificate is revoked or not. I ha revoked the certificate but when i view the certificate, it says that the certificate is OK instead it should show as Certificate Revoked. Thanks

note, when you open certificate in Windows Explorer it don't check certificate for revocation, it only builds certificate chain. In order to check whether certificate is revoked or not you may use the following commands: certutil -url path\certificate.cer certutil -verify -urlfetch -path\certificate.cer if you are experienced in .NET, you may check X509Chain.Build() method.http://en-us.sysadmins.lv