Remove From My Forums

Implementing ocsp url at client

Question
0

Sign in to vote

Hi All,
I would have to instruct the client to use the ocsp url specified by the client itself for revocation checks , overriding the AIA information got from server certificate. Is there any API which I could use for this purpose. Hope my query is clear.

Thanks.

Wednesday, November 9, 2011 10:17 AM

Answers

0

Sign in to vote
You can do this with the domain joined machines through GPO, but your machine is not domain joined.

Therefore, as I stated earlier, you would have to configure *every* client on its own.

As I stated previously:

The users would have to:

1) Successfully import a certificate into the intermediate store: certutil -addstore CA Yourca.Crt

2) Correctly add an OCSP URL. This is done by viewing the properties of the certificate in the Intermediate CAs store in the Certmgr.msc console, and click the OCSP tab, and then adding the URL

3) Potentially break all revocation checking for that cert. If they import or worse yet, type the URL wrong.

Even so, it would not ignore the OCSP responder in the AIA extension. If the typed URL did not work, the next URL to be tried would be the OCSP URL(s) in the AIA extension, and then the CDP URLs in the CDP extension.

Brian

Brian
- Proposed as answer by Brian Komar [MVP] Thursday, November 10, 2011 3:47 AM
- Marked as answer by Bruce-Liu Tuesday, November 29, 2011 3:50 PM
Thursday, November 10, 2011 3:47 AM

All replies

0

Sign in to vote

On Wed, 9 Nov 2011 10:17:00 +0000, RS_Client wrote:

I would have to instruct the client to use the ocsp url specified by the client itself for revocation checks , overriding the AIA information got from server certificate. Is there any API which I could use for this purpose. Hope my query is clear.

Is this a custom application that you're creating or have created?

Why not just get the URL correct in the first place?

Paul Adare
MVP - Forefront Identity Manager
http://www.identit.ca
A list is only as strong as its weakest link. -- Don Knuth

Wednesday, November 9, 2011 10:49 AM
0

Sign in to vote

Hi Paul,

We have a setup created and working; here we have the client who would utilize the CertGetCertificateChain() API to retrieve the OCSP url from the serverCertificate and then get the revocation status of the server certificate.

But now I have to implement OCSP for clients in a small closed environment , in such a way that the client would be able to contact an the OCSP Responder based on URL provided at the client side and not from the AIA field of server certificate.
Want help to know if there are APIs that would be helpful for this. Any pointers to achieve this would be helpful

Thanks.

Thanks!

Wednesday, November 9, 2011 11:14 AM
0

Sign in to vote

Are the clients:

- Running Vista or Windows 7

- Domain members

If yes to both, you could use GPO to push down the CA(s) that you wish to use OCSP, and provide the URL of the OCSP server you wish to use.

The Group Policy URL is used prior to any information int the certificate (OCSP URLs in the AIA or CRL URLs in the CDP)

Brian

Wednesday, November 9, 2011 12:00 PM
0

Sign in to vote

Hi Brian,

The clients are runnning windows 7 Enterprise, but not domain members. GPedit is disabled at the client side.
Also I would not be allowed to make any server changes (ie, GPO changes on CA/Ocsp Responder).
Thanks!

Wednesday, November 9, 2011 12:23 PM
0

Sign in to vote
What you really need to do is have someone fix your PKI.
The AIA should have an OCSP URL that is both internally and externally globally available.

If you meet this requirement, then everything will work.

Sorry to be harsh, but you are looking for work arounds rather than fixing the problem at hand.

The clients could manually import the certificate into the Intermediate store. In the properties of the certificate, on the OCSP tab, you can then manually designate an OCSP URL.

But, based on your environment, the users would have to:

1) Successfully import a certificate into the intermediate store

2) Correctly add an OCSP URL

3) Potentially break all revocation checking for that cert

Brian
- Proposed as answer by Brian Komar [MVP] Wednesday, November 9, 2011 1:37 PM
- Edited by Brian Komar [MVP] Wednesday, November 9, 2011 1:40 PM
Wednesday, November 9, 2011 1:37 PM
0

Sign in to vote
Hi Brian,

Thank you for your response.

I guess my requirement is not very clear. Let me explain.

I have read about OCSP client implementations where OCSP Responder could be located by providing a URL at the client side- eg. Cisco ASA 5500 boxes, OCSP client Tool etc;(http://www.ascertia.com/Downloads/manuals/OCSPClientTool-UserGuide.pdf).

In this case all the OCSP requests from the client side would be forwarded to that responder whose URL is specified by the client; and the URL present in the AIA of the server cerver certificate would be ignored. I am trying to implement something similar on our client side. Is there possibility for such a design(or any Windows API) at windows 7 client side.
Thanks!
- Proposed as answer by Brian Komar [MVP] Thursday, November 10, 2011 3:47 AM
- Unproposed as answer by Brian Komar [MVP] Thursday, November 10, 2011 3:47 AM
Thursday, November 10, 2011 3:19 AM
0

Sign in to vote
You can do this with the domain joined machines through GPO, but your machine is not domain joined.

Therefore, as I stated earlier, you would have to configure *every* client on its own.

As I stated previously:

The users would have to:

1) Successfully import a certificate into the intermediate store: certutil -addstore CA Yourca.Crt

2) Correctly add an OCSP URL. This is done by viewing the properties of the certificate in the Intermediate CAs store in the Certmgr.msc console, and click the OCSP tab, and then adding the URL

3) Potentially break all revocation checking for that cert. If they import or worse yet, type the URL wrong.

Even so, it would not ignore the OCSP responder in the AIA extension. If the typed URL did not work, the next URL to be tried would be the OCSP URL(s) in the AIA extension, and then the CDP URLs in the CDP extension.

Brian

Brian
- Proposed as answer by Brian Komar [MVP] Thursday, November 10, 2011 3:47 AM
- Marked as answer by Bruce-Liu Tuesday, November 29, 2011 3:50 PM
Thursday, November 10, 2011 3:47 AM
0

Sign in to vote
To add on, ability to send OCSP Request to pre-configured responder is an alternate mechanism suggested by RFC2560. To quote from RFC 2560, section 3.1:

In order to convey to OCSP clients a well-known point of information access, CAs SHALL provide the capability to include the AuthorityInfoAccess extension (defined in [RFC2459], section 4.2.2.1)in certificates that can be checked using OCSP. Alternatively, the accessLocation for the OCSP provider may be configured locally at the OCSP client.

To be exact I would have to implement this alternate behavior mentioned in the RFC on our client.
Ponters towards this would be helpful.

Thanks!
- Edited by RS_Client Thursday, November 10, 2011 3:57 AM
Thursday, November 10, 2011 3:51 AM
0

Sign in to vote

Wow.... I have showed you how to do it.... Exactly as you have stated in the clip from the RFC!!!

Did you even look at the procedure?!?!?!

Later

Thursday, November 10, 2011 12:06 PM
0

Sign in to vote

Hi Brian,

Thankyou for the reply.

But I need some pointers on how I could do it (use a custom OCSP responder URL provided from client side).programmatically for our client side application. I have gone through the APIs CertSetStoreProperty() , CertSetCertificateContextProperty() to modify properties linked to AIA, but I have not found any flag in these API's that would be helpful for this requirement.

Any pointers would be helpful

Thanks!

Thursday, November 17, 2011 1:12 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Implementing ocsp url at client

Question

Answers

All replies