locked
Where to Initially Enable OCSP? RRS feed

  • Question

  • According to this article, you should enable the OCSP feature in the Offline Root CA : http://itbloggen.se/cs/blogs/kristoferohman/archive/2009/04/24/setting-up-a-tier-2-pki-structure.aspx

    Is this correct for an Offline Root? Or is it better to just enable this for the Issuing CA?

    For AIA, you can use similar settings (enable filesystem and http, remove ldap:// and file://).

    Local filesystem : example: D:\CertSrv\CDP\<CaName>.crt

    HTTP : example: http://cert.domain.com/CDP/<CaName>.crt

    Check: "Include in the AIA extension of issued certificates"

    Note: If you are going to be using OCSP, enable "Include in the online certificate status protocol (OCSP) extension"

     

    Wednesday, January 18, 2012 3:37 AM

Answers

  • According to this article, you should enable the OCSP feature in the Offline Root CA : http://itbloggen.se/cs/blogs/kristoferohman/archive/2009/04/24/setting-up-a-tier-2-pki-structure.aspx

    Is this correct for an Offline Root? Or is it better to just enable this for the Issuing CA?

    For AIA, you can use similar settings (enable filesystem and http, remove ldap:// and file://).

    Local filesystem : example: D:\CertSrv\CDP\<CaName>.crt

    HTTP : example: http://cert.domain.com/CDP/<CaName>.crt

    Check: "Include in the AIA extension of issued certificates"

    Note: If you are going to be using OCSP, enable "Include in the online certificate status protocol (OCSP) extension"

     


    my bet is that it is useless to implement OCSP for CAs that issue certificates only to other CAs (subordinate) and not to end entities, because those CA's CRLs are almost empty (unlike issuing CAs, which issue certificates to end entities).
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    • Marked as answer by Vegas588 Wednesday, January 18, 2012 11:44 AM
    Wednesday, January 18, 2012 6:44 AM

All replies

  • According to this article, you should enable the OCSP feature in the Offline Root CA : http://itbloggen.se/cs/blogs/kristoferohman/archive/2009/04/24/setting-up-a-tier-2-pki-structure.aspx

    Is this correct for an Offline Root? Or is it better to just enable this for the Issuing CA?

    For AIA, you can use similar settings (enable filesystem and http, remove ldap:// and file://).

    Local filesystem : example: D:\CertSrv\CDP\<CaName>.crt

    HTTP : example: http://cert.domain.com/CDP/<CaName>.crt

    Check: "Include in the AIA extension of issued certificates"

    Note: If you are going to be using OCSP, enable "Include in the online certificate status protocol (OCSP) extension"

     


    my bet is that it is useless to implement OCSP for CAs that issue certificates only to other CAs (subordinate) and not to end entities, because those CA's CRLs are almost empty (unlike issuing CAs, which issue certificates to end entities).
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    • Marked as answer by Vegas588 Wednesday, January 18, 2012 11:44 AM
    Wednesday, January 18, 2012 6:44 AM
  • sounds right to me. Thanks for your help. There seems to be so much conflicting or wrong info out there on Windows PKI. It's difficult to go through all of it and make sense of it, especially when I am just learning.
    Wednesday, January 18, 2012 11:45 AM
  • Remember that your offline Root-CA is part of the CA chain, and during certificate validation, its validity will also be verified. Therefore your offline RootCA must publish its CRL in an accessible location (often manually ported to a URL site), and better include in its AIA what that URL is. Then the Responder for it is what you are identifying when you"enable the OCSP feature".

    In summary, in my opinion, both the offline-RootCA and the "Issueing CA" should enable the OCSP feature.

    I have had reported a case when Offline-Root-CA access was being attempted because AIA was not pointing to an online accessible node.

    Wednesday, January 18, 2012 9:04 PM
  • Remember that your offline Root-CA is part of the CA chain, and during certificate validation, its validity will also be verified. Therefore your offline RootCA must publish its CRL in an accessible location (often manually ported to a URL site), and better include in its AIA what that URL is. Then the Responder for it is what you are identifying when you"enable the OCSP feature".

    In summary, in my opinion, both the offline-RootCA and the "Issueing CA" should enable the OCSP feature.

    I have had reported a case when Offline-Root-CA access was being attempted because AIA was not pointing to an online accessible node.


    this is incorrect. There is no relation between CRL URLs and AIA extension. CRL URLs are published to CDP extension, instead. There are no any benefit from assigning OCSP URL for offline CAs.
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Wednesday, January 18, 2012 9:13 PM
  • Let me clarify that the CDP is where CA wants you to find its CRLs, and the AIA is where CA wants you to find its own info,i.e its Cert.  Therefore if you don't have the RootCA's cert installed on the client, the client is going to attempt to look for it by what is written in the AIA field. The CRL for the issueingCA certs will be needed also, to check Revocation status of those issueingCAs.

    Therefore if your RootCA is offline, it is important that the AIA field on the certificates it created contains where the RootCA's cert can be obtained.. an accessible URL.  So if using OCSP feature, it is just as good to have the URL  on the RootCA's created certs (for CDP and for AIA).

    Wednesday, January 18, 2012 9:21 PM
  • > Therefore if your RootCA is offline, it is important that the AIA field on the certificates it created contains where the RootCA's cert can be obtained.. an accessible URL.

    it is obviously :)

    > So if using OCSP feature, it is just as good to have the URL on the RootCA's created certs (for CDP and for AIA).

    still don't understand this. Offline CAs should publish only URLs for Certification Authority Issuer method only, and OCSP URLs here are useless.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Wednesday, January 18, 2012 9:27 PM
  • Vadims,

           OCSP feature is for Revocation Status check.  If the Offline-CA issues certificates, the client will need to check Revocation Status of those certs.  Therefore Offline-Ca must publish its CRL to an accessible location (whether Offline-ROot or not-Root).  The OCSP feature really speaks mainly to the CDP's URL.  I hope we both agree on that.

         Concerning offline-RootCA, the above still holds, since the RootCA issues subordinateCA certs that must also be checked for Revocation status.  Therefore it is necessary for the RootCA (offline or not) to publish the CRL to somewhere accessible.  Hence the CDP should contain URL for the responder.

     As for the AIA, I will conveniently locate the offlineCA's cert in the same place where the CRL is located for easy access, therefore I will preferrably put same URL (of the responder) in the Offline-CA's  issued certs's AIA field.

     

    Wednesday, January 18, 2012 9:49 PM
  • Hey Guys,

    I know this post is old, but we are getting ready to standup a new CA Chain. in our existing chain we did not define our responder URL in our Offline Root CA AIA path, but did on our Online issuing CA's. 

    As I research, even now there seems to still be a lot of back and forth on if you should or should not define for the offline root.

    I am curious on what your thoughts are now?


    Bryan.oreilly@paccar.com

    Tuesday, September 20, 2016 10:25 PM
  • Still the same:

    - Root CA certificate: No AIA or CDP

    - Root CA issued certificate: AIA and CDP, no OCSP URI in the AIA extension

    - Subordinate CA issued certificate: AIA, CDP, and OCSP URI in the AIA extension

    Brian

    Wednesday, September 21, 2016 3:04 PM