locked
CRL vs OCSP for Smart Card Logon RRS feed

  • Question

  • Currently I am working on a PKI design for a company with around 5 thousand users, distributed on branch offices.

    AD Forest on W2003 DCs and XP Clients.

    PKI infrastructure will be on W2008 R2

    Question: OCSP will be a supported choice for validate the smart cards certificates in case of a W2008 DCs upgrade?

    Thanks,

    Andrés.

     

     


    andresz
    Thursday, January 13, 2011 8:52 PM

Answers

  • On Thu, 13 Jan 2011 22:43:29 +0000, andresz wrote:

    My concern is about the smart card?logon authentication,

    Is it enough that the DCs will be W2008 in order to use OCSP queries or does the clients also have to be OCSP aware?

    In your original post you stated that you're concerned about being able to
    validate the smart card certificates. This validation is done by the DCs so
    they need to be OCSP aware not the clients. If you're also concerned about
    validating the DC certificates with OCSP then both the clients and the DCs
    need to be OCSP aware.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    Want custom ringtones on your Windows Phone 7 device?
    One person's error is another person's data.

    • Proposed as answer by Paul Loonen Friday, January 14, 2011 9:03 AM
    • Marked as answer by andresz Monday, January 17, 2011 2:28 PM
    Friday, January 14, 2011 6:50 AM
  • To be honest, when you implement OCSP URLs in the AIA extension, you should still implement CDP URLs for clients that do not support OCSP.

    In fact, the default behavior for Windows systems (configurable via GPO) is that after a client (for example a DC) performs more than 50 requests to the OCSP responder for certificates issued by a single CA, at that point, GPO enforces that the client (DC) should just download the CRL at that point.

    If you have both URLs, the default behavior is to first use OCSP and only to fall back to CRLs if the OCSP server is unavailable or not responding.

    Brian

    • Marked as answer by andresz Monday, January 17, 2011 2:28 PM
    Saturday, January 15, 2011 11:40 PM
  • I would deploy all issuing CAs with OCSP as one of the revocation options.

    Remember that if a client cannot use OCSP, it will fail back to using CRLs for revocation checking.

    Why eliminate one of the revocation checking options?

    Brian

    • Proposed as answer by Brian Komar [MVP] Wednesday, January 19, 2011 4:32 PM
    • Marked as answer by andresz Wednesday, January 19, 2011 8:19 PM
    Wednesday, January 19, 2011 4:30 PM

All replies

  • OCSP is a supported option on Windows Server 2008 and later. If I remember correctly you must have an Enterprise CA implemented on Windows Server 2008 in your infrastructure. Note that clients before Windows Vista are unaware of OCSP and will only support CRLs to determine the validity of a certificate.

    I also think your AD schema must be version 30 or later. (which is independent on the version of the OS you're running) BTW, version 30 comes with Windows Server 2003.


    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    Thursday, January 13, 2011 10:13 PM
  • Thanks Paul,

    My concern is about the smart card logon authentication,

    Is it enough that the DCs will be W2008 in order to use OCSP queries or does the clients also have to be OCSP aware?

    Andrés.


    andresz
    Thursday, January 13, 2011 10:43 PM
  • On Thu, 13 Jan 2011 22:43:29 +0000, andresz wrote:

    My concern is about the smart card?logon authentication,

    Is it enough that the DCs will be W2008 in order to use OCSP queries or does the clients also have to be OCSP aware?

    In your original post you stated that you're concerned about being able to
    validate the smart card certificates. This validation is done by the DCs so
    they need to be OCSP aware not the clients. If you're also concerned about
    validating the DC certificates with OCSP then both the clients and the DCs
    need to be OCSP aware.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    Want custom ringtones on your Windows Phone 7 device?
    One person's error is another person's data.

    • Proposed as answer by Paul Loonen Friday, January 14, 2011 9:03 AM
    • Marked as answer by andresz Monday, January 17, 2011 2:28 PM
    Friday, January 14, 2011 6:50 AM
  • To be honest, when you implement OCSP URLs in the AIA extension, you should still implement CDP URLs for clients that do not support OCSP.

    In fact, the default behavior for Windows systems (configurable via GPO) is that after a client (for example a DC) performs more than 50 requests to the OCSP responder for certificates issued by a single CA, at that point, GPO enforces that the client (DC) should just download the CRL at that point.

    If you have both URLs, the default behavior is to first use OCSP and only to fall back to CRLs if the OCSP server is unavailable or not responding.

    Brian

    • Marked as answer by andresz Monday, January 17, 2011 2:28 PM
    Saturday, January 15, 2011 11:40 PM
  • Thanks Paul and Brian.

    Very clear your responses.

    Andrés


    andresz
    Monday, January 17, 2011 2:32 PM
  • Is it a good practice to use the same CA for SmartCard logon and EFS based on the configuration described above, using OCSP? or should I use another CA without OCSP?

    Thanks for your help.

    Andrés.


    andresz
    Tuesday, January 18, 2011 3:20 PM
  • I would deploy all issuing CAs with OCSP as one of the revocation options.

    Remember that if a client cannot use OCSP, it will fail back to using CRLs for revocation checking.

    Why eliminate one of the revocation checking options?

    Brian

    • Proposed as answer by Brian Komar [MVP] Wednesday, January 19, 2011 4:32 PM
    • Marked as answer by andresz Wednesday, January 19, 2011 8:19 PM
    Wednesday, January 19, 2011 4:30 PM