Windows 2008 OCSP incompatible with Cisco IOS
Hi,
Have done a fair bit of testing with Windows Server 2008 RC0 Certificate Services, including using the in-built OCSP responder. As it currently stands, the OCSP responder does not interact properly with all recent versions of Cisco IOS.
When the router uses OCSP to check another router's certificate, AND the OCSP server returns a response of "successful", the router rejects the response due to invalid BER encoding.
I raised a message with the Cisco TAC and they say it's because the id-pkix-ocsp-nocheck extension in the OCSP responder's certificate is set to a zero-length value. According to the RFC it should actually be set to the ASN1 value of NULL.
Anyway, just wondering if anyone else has experienced this problem?
Does anyone know if it's possible to modify the value of the nocheck extension, or if it's possible to remove it?
Thanks.
PAUL G.
December 11th, 2007 3:54am
Paul,
I have reported this to the development team responsible for our OCSP component and they are looking into it. In the meantime you can remove the extension using the following procedure:
Certutil setreg policy\DisableExtensionList +1.3.6.1.5.5.7.48.1.5
Net stop certsvc & net start certsvc
Thanks,
-Steve
Free Windows Admin Tool Kit Click here and download it now
January 15th, 2008 10:06am
Hi Steve,Thought I would update you about this problem.I am now using the RTM version of Windows Server 2008 Enterprise and am running the latest versions of Cisco IOS.The above problem is still occurring.Also, if I disable the extension as you suggested above, it causes problems on the Cisco routers.Has there been any word from the development team on this issue? Is there any patch available for Windows 2008 that will fix this behaviour, or at least allow the value of the id-pkix-ocsp-nocheck extension to be modified?Thanks.PAUL G.
August 6th, 2008 7:03am
FYI, for anyone who is experiencing this same problem, Microsoft has finally released a hotfix for it:http://support.microsoft.com/kb/960549Apply this hotfix to the CA that issues the signing certificate to the OCSP responder. I have tested it and it works.Regards,PAUL G.
Free Windows Admin Tool Kit Click here and download it now
December 24th, 2008 4:20am