locked
Publishing OCSP to external network RRS feed

  • Question

  • Hi All,

    We are having a OCSP server and few thousand users are using the OCSP url for internal certificate validation. Now we are planning to publish the OCSP for external access. Our ocsp url is http://pki.companyname.net\ocsp. Due to security concerns the internal OCSP url can't be used for external.

    The DMZ network fqdn is servername.external-companyname.net. Can we create a DNS alias in the public ip which is going to be used for external access, if it will work then we can utilize the same URL for the existing 10000+ user certificates and external users also can access.

    Any other easy approach can we follow without affecting the existing users and existing URL

    Thanks and Regards,

    Hariharan

    Monday, February 13, 2017 3:53 PM

Answers

  • Hi,

    According your description,you want to deploy like this(please let me know if I misunderstood):

    In this case,after you create the external DNS record,you  need to forward requests to http://servername.external-companyname.net/ocsp to internal server that hosts OCSP service http://pki.companyname.net/ocsp .And open TCP port 80 for both side.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by hariharanss Tuesday, February 14, 2017 10:21 AM
    Tuesday, February 14, 2017 6:35 AM

All replies

  • Hi,

    According your description,you want to deploy like this(please let me know if I misunderstood):

    In this case,after you create the external DNS record,you  need to forward requests to http://servername.external-companyname.net/ocsp to internal server that hosts OCSP service http://pki.companyname.net/ocsp .And open TCP port 80 for both side.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by hariharanss Tuesday, February 14, 2017 10:21 AM
    Tuesday, February 14, 2017 6:35 AM
  • Thanks Cartman!!!

    In this case, do we need two OCSP url's in the certificates?

    Internal users ---->http://pki.companyname.net/ocsp .

    External users --->http://servername.external-companyname.net/ocsp 

        (or)

    Can we create a cname in external server servername.external-companyname.net which points the internal OCSP server pki.companyname.net/ocsp and IIS reverse proxy will reroute it to the OCSP server.

    Thanks and Regards,

    Hariharan

    Tuesday, February 14, 2017 7:50 AM
  • Hi,

    I prefer to use DNS CNAME record.But I'd suggest to test in a lab environment,before you deploy it.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, February 14, 2017 8:30 AM