locked
OCSP Based Validation for Client Certificates Using Responder Defined by Web Server RRS feed

  • Question

  • I was wondering if it's possible configure a Windows 2019 IIS v10 hosted Web Server to perform OCSP checking of client certificates that are used to authenticate?

    It is my understanding that typically the Responder URL that the Web Server contacts in order to validate the client cert is extracted from the AIA attribute in the client certificate. But is it possible to override/supplement this with an additional Responder?

    For instance, what if I set up an OCSP Responder in the same domain as the Web Server and associated its revocation configuration with the SUB CA binded to the IIS Site. Now if client certs come in for authentication  and have an unrelated OCSP Responder in their AIA, can I somehow tell the Web Server to check also the aforementioned Responder that has been stood up in the domain?
    Friday, September 4, 2020 6:52 PM

Answers

  • Per a reply from Mark B. Cooper at PKI Solutions this is indeed possible. You must edit the following GPO in order to override the default behaviour of the web server which is to only check the Responder URL specified in the client certificates' AIA extension.

    Default Domain Policy > Computer Configuration >  Policies > Windows Settings > Security Settings > expand Public Key Policies

    Once a custom Responder is specified in the CA / SUB CA's revocation properties the above GPO will allow it to check that custom Responder URL first, then ocsp as defined in the AIA extension and then CRLs

    Thanks Mark!

    EDIT:

    Will post reference links once MS verifies my account.


    Friday, September 4, 2020 7:27 PM