Solved

PKI infrastructure

Posted on 2013-12-20
3
445 Views
Last Modified: 2013-12-22
Hello Experts,

I do contracting work for a fortune 500 company.  The size of the network is huge. PKI is not my area of expertise but I've been doing some eavesdropping and have some questions.

They have an offline root CA and a bunch of subordinate CAs located globally.   They are using OSCP protocol to "check" the certificate.

My question:

Typically, are the subordinate CA's also talking OSCP to each other?  Or is it that typically the OSCP servers are separate from the sub-CA?

Do the OSCP servers check against an Certificate revocation list or are those two separate products?
0
Comment
Question by:trojan81
  • 2
3 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39732802
1) no, normally each sub-ca is complete in itself; trusting systems will check the oscp revocation status of the cert with the server defined in the cert (usally the same as the sub-ca server) and usually, unless the sub-ca has itself been sent out via group policy, check the sub-ca's revocation against the oscp target of the (offline) root CA as defined in the sub-ca's certificate.  As it is hierarchical, sub-cas never need to talk to each other.

2) A oscp server MAY check a CRL - that is how microsoft currently do it, but some other non-microsoft solutions check a certificate db specific to the sub-ca via LDAP.  the exact mechanism is rarely important except for troubleshooting when it goes wrong :)
0
 

Author Comment

by:trojan81
ID: 39733886
Davehowe,

am I correct to say that typically the sub-ca is also acting as an oscp server?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 39733942
Typically, yes. the microsoft solution requires access to the CRL, which is usually a pkcs formatted file stored on a webserver; for convenience, it is handy for that webserver to be on the same physical host as the sub-ca, and for the OSCP server to be on the same physical host too. They don't *have* to be, but it is convenient for setup for them to be so configured.

OSCP is just a query protocol and is *slightly* more bandwidth efficient; unless your CRL is relatively large, or queries are over a really low-bandwidth link, the difference is going to be pretty much down to one or two packets....
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question