trojan81
asked on
PKI infrastructure
Hello Experts,
I do contracting work for a fortune 500 company. The size of the network is huge. PKI is not my area of expertise but I've been doing some eavesdropping and have some questions.
They have an offline root CA and a bunch of subordinate CAs located globally. They are using OSCP protocol to "check" the certificate.
My question:
Typically, are the subordinate CA's also talking OSCP to each other? Or is it that typically the OSCP servers are separate from the sub-CA?
Do the OSCP servers check against an Certificate revocation list or are those two separate products?
I do contracting work for a fortune 500 company. The size of the network is huge. PKI is not my area of expertise but I've been doing some eavesdropping and have some questions.
They have an offline root CA and a bunch of subordinate CAs located globally. They are using OSCP protocol to "check" the certificate.
My question:
Typically, are the subordinate CA's also talking OSCP to each other? Or is it that typically the OSCP servers are separate from the sub-CA?
Do the OSCP servers check against an Certificate revocation list or are those two separate products?
ASKER
Davehowe,
am I correct to say that typically the sub-ca is also acting as an oscp server?
am I correct to say that typically the sub-ca is also acting as an oscp server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
2) A oscp server MAY check a CRL - that is how microsoft currently do it, but some other non-microsoft solutions check a certificate db specific to the sub-ca via LDAP. the exact mechanism is rarely important except for troubleshooting when it goes wrong :)