PKI infrastructure

Hello Experts,

I do contracting work for a fortune 500 company.  The size of the network is huge. PKI is not my area of expertise but I've been doing some eavesdropping and have some questions.

They have an offline root CA and a bunch of subordinate CAs located globally.   They are using OSCP protocol to "check" the certificate.

My question:

Typically, are the subordinate CA's also talking OSCP to each other?  Or is it that typically the OSCP servers are separate from the sub-CA?

Do the OSCP servers check against an Certificate revocation list or are those two separate products?
trojan81Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
Typically, yes. the microsoft solution requires access to the CRL, which is usually a pkcs formatted file stored on a webserver; for convenience, it is handy for that webserver to be on the same physical host as the sub-ca, and for the OSCP server to be on the same physical host too. They don't *have* to be, but it is convenient for setup for them to be so configured.

OSCP is just a query protocol and is *slightly* more bandwidth efficient; unless your CRL is relatively large, or queries are over a really low-bandwidth link, the difference is going to be pretty much down to one or two packets....
0
 
Dave HoweSoftware and Hardware EngineerCommented:
1) no, normally each sub-ca is complete in itself; trusting systems will check the oscp revocation status of the cert with the server defined in the cert (usally the same as the sub-ca server) and usually, unless the sub-ca has itself been sent out via group policy, check the sub-ca's revocation against the oscp target of the (offline) root CA as defined in the sub-ca's certificate.  As it is hierarchical, sub-cas never need to talk to each other.

2) A oscp server MAY check a CRL - that is how microsoft currently do it, but some other non-microsoft solutions check a certificate db specific to the sub-ca via LDAP.  the exact mechanism is rarely important except for troubleshooting when it goes wrong :)
0
 
trojan81Author Commented:
Davehowe,

am I correct to say that typically the sub-ca is also acting as an oscp server?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.