I’ve setup a two-tier PKI in my Lab like described in http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx
and on the book of Brian Komar. Additionally I’ve added the OCSP-Role to the Subordinated CA. Now my environment consists of:
1 DC W2K8 Ent
1 RootCA W2K8 Ent
1 SubCA W2K8 Ent
1 Client W7 Prof
I am able to logon with a smart card to my domain. When I try to revoke the certificate and then publish the CRL and afterward refresh the OCSP revocation status, I’m still able to logon to the Domain with smart card. What I find very interesting is when I export the public key of my logon certificate and then I run certutil –URL <certfile>.cer I receive the information that my certificate is revoked. The only way I was able to bring the certificate is revoked information is only when I flush the cache on the DC and on the client. I also tried to modify the Proxy Cache to 0 but the result is still the same
Has anybody been able to use OCSP for Smart Card Logon?
Any help is appreciated.