Solved

PKI infrastructure

Posted on 2013-12-20
3
456 Views
Last Modified: 2013-12-22
Hello Experts,

I do contracting work for a fortune 500 company.  The size of the network is huge. PKI is not my area of expertise but I've been doing some eavesdropping and have some questions.

They have an offline root CA and a bunch of subordinate CAs located globally.   They are using OSCP protocol to "check" the certificate.

My question:

Typically, are the subordinate CA's also talking OSCP to each other?  Or is it that typically the OSCP servers are separate from the sub-CA?

Do the OSCP servers check against an Certificate revocation list or are those two separate products?
0
Comment
Question by:trojan81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39732802
1) no, normally each sub-ca is complete in itself; trusting systems will check the oscp revocation status of the cert with the server defined in the cert (usally the same as the sub-ca server) and usually, unless the sub-ca has itself been sent out via group policy, check the sub-ca's revocation against the oscp target of the (offline) root CA as defined in the sub-ca's certificate.  As it is hierarchical, sub-cas never need to talk to each other.

2) A oscp server MAY check a CRL - that is how microsoft currently do it, but some other non-microsoft solutions check a certificate db specific to the sub-ca via LDAP.  the exact mechanism is rarely important except for troubleshooting when it goes wrong :)
0
 

Author Comment

by:trojan81
ID: 39733886
Davehowe,

am I correct to say that typically the sub-ca is also acting as an oscp server?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 39733942
Typically, yes. the microsoft solution requires access to the CRL, which is usually a pkcs formatted file stored on a webserver; for convenience, it is handy for that webserver to be on the same physical host as the sub-ca, and for the OSCP server to be on the same physical host too. They don't *have* to be, but it is convenient for setup for them to be so configured.

OSCP is just a query protocol and is *slightly* more bandwidth efficient; unless your CRL is relatively large, or queries are over a really low-bandwidth link, the difference is going to be pretty much down to one or two packets....
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question