Solved

PKI infrastructure

Posted on 2013-12-20
3
443 Views
Last Modified: 2013-12-22
Hello Experts,

I do contracting work for a fortune 500 company.  The size of the network is huge. PKI is not my area of expertise but I've been doing some eavesdropping and have some questions.

They have an offline root CA and a bunch of subordinate CAs located globally.   They are using OSCP protocol to "check" the certificate.

My question:

Typically, are the subordinate CA's also talking OSCP to each other?  Or is it that typically the OSCP servers are separate from the sub-CA?

Do the OSCP servers check against an Certificate revocation list or are those two separate products?
0
Comment
Question by:trojan81
  • 2
3 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39732802
1) no, normally each sub-ca is complete in itself; trusting systems will check the oscp revocation status of the cert with the server defined in the cert (usally the same as the sub-ca server) and usually, unless the sub-ca has itself been sent out via group policy, check the sub-ca's revocation against the oscp target of the (offline) root CA as defined in the sub-ca's certificate.  As it is hierarchical, sub-cas never need to talk to each other.

2) A oscp server MAY check a CRL - that is how microsoft currently do it, but some other non-microsoft solutions check a certificate db specific to the sub-ca via LDAP.  the exact mechanism is rarely important except for troubleshooting when it goes wrong :)
0
 

Author Comment

by:trojan81
ID: 39733886
Davehowe,

am I correct to say that typically the sub-ca is also acting as an oscp server?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 39733942
Typically, yes. the microsoft solution requires access to the CRL, which is usually a pkcs formatted file stored on a webserver; for convenience, it is handy for that webserver to be on the same physical host as the sub-ca, and for the OSCP server to be on the same physical host too. They don't *have* to be, but it is convenient for setup for them to be so configured.

OSCP is just a query protocol and is *slightly* more bandwidth efficient; unless your CRL is relatively large, or queries are over a really low-bandwidth link, the difference is going to be pretty much down to one or two packets....
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

827 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question