How can I use OCSP for Smart Card Logon Certificate Revocation under Windows 7?

INSERTO used Ask the Experts™

I’ve setup a two-tier PKI in my Lab like described in and on the book of Brian Komar. Additionally I’ve added the OCSP-Role to the Subordinated CA. Now my environment consists of:

1 DC W2K8 Ent
1 RootCA W2K8 Ent
1 SubCA W2K8 Ent
1 Client W7 Prof

I am able to logon with a smart card to my domain. When I try to revoke the certificate and then publish the CRL and afterward refresh the OCSP revocation status, I’m still able to logon to the Domain with smart card. What I find very interesting is when I export the public key of my logon certificate and then I run certutil –URL  <certfile>.cer I receive the information that my certificate is revoked. The only way I was able to bring the certificate is revoked information is only when I flush the cache on the DC and on the client. I also tried to modify the Proxy Cache to 0 but the result is still the same

Has anybody been able to use OCSP for Smart Card Logon?

Any help is appreciated.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Cryptographic Engineer
You are validating against a cached OCSP response.  An OCSP response is normally set to expire when the CRL would expire, in the Microsoft world at least.

To flush the OCSP cache:
certutil -urlcache ocsp delete

Test again, if still failing, then flush the CRL cache:
certutil -urlcache crl delete


So if I understood correctly: even if I publish a new CRL and refresh the OCSP revocation data I need always to flush the cache on the DC? So what would be the benefit instead of CRL? Is there a way to do this automatically or is OCSP not the real deal for the revocation of smart card certificates?
ParanormasticCryptographic Engineer
Flush the cache on the client...

The main benefit of OCSP vs. CRL is that it is a smaller response than a CRL file.

Also, keep in mind this is in the MS world.  Other OCSP products behave differently and tend to be real-time against the CA database instead of 'real time checking' against the current CRL.  They will tend to be more configurable in order to display the cache timeout.  Also, some clients can manually set the timeout period (e.g. FireFox) for CRL or OCSP responses.  This is what the commercial CA's do so the OCSP response will refresh say every 15 minutes or once per hour, while the CRL will be valid for a couple days.
ParanormasticCryptographic Engineer
The only thing I can think of is if you create a service to run that command once every hour or however long you want, then deploy that to your clients.

Also understand that smartcard logon on a laptop that is disconnected will use the cached logon indefinitely, so once logged in they will still be able to log in after the client has disconnected from the network since there cannot be any revocation checking if they aren't connected to the LAN.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial