Should OCSP be enabled for Offline CAs?
Hi Everyone, I know a similar question was asked back in January, but there appeared to be no clear consensus at the time. We have a 3 tier PKI built using Brian Komar's authoritative work, supplemented by information on Technet and of course this forum :). All the CAs are in place and we will soon be issuing "end entity" certificates. The Pkiview checks all report OK with the exception of the OCSP URLs, due to my not having built the live responders yet :) Now following information in various OCSP references I have configured all the issuing CAs such that they include the future OCSP URL in the online certificate status protocol (OCSP) extension. My questions 1) Is there any value to configuring the subordinate CAs (offline) to leverage OCSP? 2) If the answer to 1 is YES, is it possible to achieve this without having to reissue the certificates for the subordinates - and the issuing CAs for that matter? I believe I read somewhere that you can manually add OCSP URLs to issued certificates? All of the Microsoft OCSP references I've read to date recommend that the OCSP responders be built after the CAs are in place and before end-entity certficates are issued. I'm sure there are a lot of existing PKIs without OCSP. If adding OCSP at a later stage meant a re-key of the hierarchy it would be somewhat of a pain :) Opinons & advice appreciated.
October 6th, 2012 2:23pm

> 1) Is there any value to configuring the subordinate CAs (offline) to leverage OCSP? I don't think so. Offline CAs usually have empty CRLs, or just few entries and it's size is less than 1kb. > All of the Microsoft OCSP references I've read to date recommend that the OCSP responders be built after the CAs are in place and before end-entity certficates are issued. yes, it is just a recommendation. > If adding OCSP at a later stage meant a re-key of the hierarchy it would be somewhat of a pain Why? In this case you have to: 1) reconfigure upper-level CA to include appropriate OCSP URL. 2) renew CA (down-level) certificate with either new key pair, or reusing existing key pair. 3) distribute new CA certificate through Active Directory (no specific steps are required). 4) remove previous CA certificate from Active directory and distribute it via group policies and specify OCSP location in the certificate properties.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2012 3:42am

Hi Vadims, Thank as ever for taking the time to reply. First I'm afraid my use of the word "re-key" was misleading. What I meant by "re-key the hierarchy" was re-issue the certificates for the subordinate and issuing CAs so that their certificates include the OCSP URL in the OCSP extension. However this Technet article: http://technet.microsoft.com/en-us/library/cc732189(v=ws.10).aspx implies that it possible to add an OCSP URL to existing certficates without having to re-issue. Granted in the case where the PKI is not yet in active use, there isn't much time savings to be gained over re-issuing the certficates, but I'm interested nonetheless as to whether this is a viable avenue. The road to PKI expertise is long and winding and it always useful to add new things to one's knowledgebase :) Any thoughts on this from you or anyone else would be valued.
October 7th, 2012 7:41am

> implies that it possible to add an OCSP URL to existing certficates without having to re-issue. yes and I told about this in my previous post. However, this is just a temporary solution, when you implement OCSP now and have plans to recreate CA certificate in near future. OCSP will be used only by the clients where CA certificate is specially configured in local certificate store. for example, any outside of your domain will not recognize OCSP. Also, I still don't see any difficulties in CA certificate renewal, so I still think that mentioned link is not a permanent solution.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2012 10:04am

> implies that it possible to add an OCSP URL to existing certficates without having to re-issue. yes and I told about this in my previous post. However, this is just a temporary solution, when you implement OCSP now and have plans to recreate CA certificate in near future. OCSP will be used only by the clients where CA certificate is specially configured in local certificate store. for example, any outside of your domain will not recognize OCSP. Also, I still don't see any difficulties in CA certificate renewal, so I still think that mentioned link is not a permanent solution. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki Vladims, Thank you for expanding on this. All understood now.
October 7th, 2012 10:13am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics