none
Windows 2008 OCSP incompatible with Cisco IOS

    Question

  • Hi,

     

    Have done a fair bit of testing with Windows Server 2008 RC0 Certificate Services, including using the in-built OCSP responder. As it currently stands, the OCSP responder does not interact properly with all recent versions of Cisco IOS.

     

    When the router uses OCSP to check another router's certificate, AND the OCSP server returns a response of "successful", the router rejects the response due to invalid BER encoding.

     

    I raised a message with the Cisco TAC and they say it's because the id-pkix-ocsp-nocheck extension in the OCSP responder's certificate is set to a zero-length value. According to the RFC it should actually be set to the ASN1 value of NULL.

     

    Anyway, just wondering if anyone else has experienced this problem?

     

    Does anyone know if it's possible to modify the value of the nocheck extension, or if it's possible to remove it?

     

    Thanks.


    PAUL G.

    Tuesday, December 11, 2007 12:54 AM

Answers

  • FYI, for anyone who is experiencing this same problem, Microsoft has finally released a hotfix for it:

    http://support.microsoft.com/kb/960549

    Apply this hotfix to the CA that issues the signing certificate to the OCSP responder. I have tested it and it works.

    Regards,

    PAUL G.
    • Proposed as answer by Shems Friday, June 12, 2009 1:39 PM
    • Marked as answer by Paul-Gordon Sunday, June 14, 2009 11:21 PM
    Wednesday, December 24, 2008 1:20 AM

All replies

  • Paul,

      I have reported this to the development team responsible for our OCSP component and they are looking into it.  In the meantime you can remove the extension using the following procedure:

     

    Certutil –setreg policy\DisableExtensionList +1.3.6.1.5.5.7.48.1.5

    Net stop certsvc & net start certsvc

     

    Thanks,

     

    -Steve

    Tuesday, January 15, 2008 7:06 AM
  • Hi Steve,

    Thought I would update you about this problem.

    I am now using the RTM version of Windows Server 2008 Enterprise and am running the latest versions of Cisco IOS.

    The above problem is still occurring.

    Also, if I disable the extension as you suggested above, it causes problems on the Cisco routers.

    Has there been any word from the development team on this issue? Is there any patch available for Windows 2008 that will fix this behaviour, or at least allow the value of the id-pkix-ocsp-nocheck extension to be modified?

    Thanks.

    PAUL G.
    Wednesday, August 06, 2008 4:03 AM
  • FYI, for anyone who is experiencing this same problem, Microsoft has finally released a hotfix for it:

    http://support.microsoft.com/kb/960549

    Apply this hotfix to the CA that issues the signing certificate to the OCSP responder. I have tested it and it works.

    Regards,

    PAUL G.
    • Proposed as answer by Shems Friday, June 12, 2009 1:39 PM
    • Marked as answer by Paul-Gordon Sunday, June 14, 2009 11:21 PM
    Wednesday, December 24, 2008 1:20 AM