0

We have a Microsoft Certificate Authority running on Windows Server 2019. We are issuing certificates to Android devices via a MDM. The Android device users browse to a web application (hosted by Apache, implemented in PHP 8) using the Chrome web browser (on Android) that requires a client certificate.

We are installing a separate Windows Server 2019 instance with the Microsoft OCSP Responder role to validate/verify that the client certificates presented to the Apache web server are valid. Apache has several directives to handle OCSP validation. We'd also like to validate the certificates in PHP for further security.

From my research reading several RFCs and Microsoft technical documents, it seeems like the Microsoft OCSP Responder validates certificates by referencing against a CRL for revocation status.

How does the Microsoft OCSP Responder validate certificates if they have been deleted from the CA instead of revoked? If deleted and not revoked, they will not show up in the CRL.

Am I missing something here? Will the Microsoft OCSP Responder validate the serial number against the CA database as well as its revocation status?

user2140583
  • 3
  • 1

1 Answers1

1

Will the Microsoft OCSP Responder validate the serial number against the CA database as well as its revocation status?

by default, Microsoft OCSP will report such serial number as "Good". Starting with Windows Server 2008 R2, a deterministic OCSP response functionality is added to Microsoft OCSP. In short, CA publish all serial numbers of ever issued certificates and OCSP is configured to look into this directory as well. New behavior does the following:

  • if serial number does not exist in the folder, OCSP responds with UNKNOWN status. This means that requested serial number was never issued by CA
  • if serial number exist in the folder, a CRL is checked
  • if serial is listed in CRL, respond with REVOKED status and respond with GOOD otherwise.

More details on Microsoft KB: The Online Responder service does not return a deterministic GOOD for all certificates not included in the CRL

The KB contains a script which dumps all serial numbers of issued certificates into configured folder. However the script is a bit flawed. It exports only serials that exist in CA database at script execution time. CA database is maintained and old entries are deleted to prevent CA database overgrow. This will lead to false-positive UNKNOWN status on deleted certs although the cert was issued and exist somewhere in the wild. I prefer to keep everything issued regardless of CA maintenance and respond with GOOD even if cert was deleted from CA. To address this flaw, I would recommend to remove these lines from the script:

dir | foreach {
    remove-item $_ -force
}

this will keep serial numbers that no longer exist on CA between script runs.

Crypt32
  • 6,639
  • 1
  • 15
  • 33