1

The certificates as given below:

Root-CA -> Intermediate-CA -> Server

If I revoke Intermediate-CA from Root-CA then the Server will automated revoked certificate along with the Intermediate-CA. Now, after revoking Intermediate-CA the Firefox Browser shows the Intermediate-CA is still valid.

In Intermediate-CA certificate:

crlDistributionPoints = URI:http://www.example.com/pki/root-ca.crl
OCSP;URI = http://www.example.com:1212

OCSP runs in the terminal but there are no request comes into OCSP URI. Only the Server's OCSP URI gets request.

How can I configure that if the Intermediate-CA revoke by Root-CA then the Firefox Browser can identify that the Intermediate-CA was revoked and Server also be revoked?

soup
  • 76
  • 4

1 Answers1

1

It seems that you can't. From Firefox's wiki:

Revocation Processing for Intermediate CA Certificates

The relatively small number and low revocation frequency of CA certificates means that mechanisms that deliver a complete set of revoked certificates to Firefox are practical. However, due to the problems listed above, Firefox never attempts to download CRLs to the client. OCSP is also not used by Firefox to validate CA certificates.

Firefox uses a concept called OneCRL, similar to Google's CRLSets which it uses for revocation checking of intermediate CAs.

garethTheRed
  • 4,539
  • 14
  • 22
  • Is there any benefit of `OCSP Must-staple`? – soup Aug 22 '22 at 18:26
  • None at all in this context. Firefox doesn't use OCSP to validate CA certs, so stapling them won't help. Look under Multi-staple in the wiki linked in my answer. – garethTheRed Aug 22 '22 at 20:45