Solved

PKI infrastructure

Posted on 2013-12-20
3
440 Views
Last Modified: 2013-12-22
Hello Experts,

I do contracting work for a fortune 500 company.  The size of the network is huge. PKI is not my area of expertise but I've been doing some eavesdropping and have some questions.

They have an offline root CA and a bunch of subordinate CAs located globally.   They are using OSCP protocol to "check" the certificate.

My question:

Typically, are the subordinate CA's also talking OSCP to each other?  Or is it that typically the OSCP servers are separate from the sub-CA?

Do the OSCP servers check against an Certificate revocation list or are those two separate products?
0
Comment
Question by:trojan81
  • 2
3 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39732802
1) no, normally each sub-ca is complete in itself; trusting systems will check the oscp revocation status of the cert with the server defined in the cert (usally the same as the sub-ca server) and usually, unless the sub-ca has itself been sent out via group policy, check the sub-ca's revocation against the oscp target of the (offline) root CA as defined in the sub-ca's certificate.  As it is hierarchical, sub-cas never need to talk to each other.

2) A oscp server MAY check a CRL - that is how microsoft currently do it, but some other non-microsoft solutions check a certificate db specific to the sub-ca via LDAP.  the exact mechanism is rarely important except for troubleshooting when it goes wrong :)
0
 

Author Comment

by:trojan81
ID: 39733886
Davehowe,

am I correct to say that typically the sub-ca is also acting as an oscp server?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 39733942
Typically, yes. the microsoft solution requires access to the CRL, which is usually a pkcs formatted file stored on a webserver; for convenience, it is handy for that webserver to be on the same physical host as the sub-ca, and for the OSCP server to be on the same physical host too. They don't *have* to be, but it is convenient for setup for them to be so configured.

OSCP is just a query protocol and is *slightly* more bandwidth efficient; unless your CRL is relatively large, or queries are over a really low-bandwidth link, the difference is going to be pretty much down to one or two packets....
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question