Comments on: Public Key Infrastructure Part 8 – OCSP responder

By: ashrarai

ashrarai — Mon, 12 Aug 2019 10:21:48 +0000

This is very thorough article.

By: Romain Serre

Romain Serre — Wed, 30 Sep 2015 09:12:39 +0000

Hi Martin,

I’ve tried links and they’re working. Mayble a little outage on the blog yesterday…

By: Martin

Martin — Tue, 29 Sep 2015 22:03:59 +0000

Sir Can you fix the links to pki posts 1, 2 and 7? Receive the following, “Error establishing a database connection” Excellent pki posts and very helpful.

By: Romain Serre

Romain Serre — Sun, 09 Nov 2014 12:07:36 +0000

Hi Long,

Many thanks for your comment ! I appreciate.

Regarding your issue, when you revoke a certificate, you have to republish the CRL into your CRL Distribution Point. For example, if you revoke the certificate of your sub CA you have to republish the ROOT CA CRL. Only the CRL gives the information about revoked certificate to clients.

So you can try to create a certificate and test it with certutil -url. Next revoke this certificate and publish the CRL into CDP. Run again a certutil -url and the certificate should be revoked.

Have a nice weekend

By: Long

Long — Sun, 09 Nov 2014 02:59:13 +0000

Thank you very much Romain for your excellent articles, I have followed them and am able to test out the OCSP capability in Windows. Thank you very much…. FYI, for what it’s worth, with my background in Unix and others, I am really starting to get to know Windows and I really find your articles are very easy to follow. I have now been able to test the OCSP capability! One thing I am still struggling at the moment is really to do with the revocation period. I would revoke a certificate and then using various methods (certutil -crl, change the Revocation Configuration time, republishing Revocation folder in Certification Authority tool etc.) to refresh the ‘cache’, yet I would only be able to obtain the ‘Revoked’ status by restarting the server that host the Intermediate Certificate and the OCSP Responder…. BTW, I have tried out the certutil -urlfetch -verify certfile.cer and that would return me a status of Revoked. But if I use certutil -url certfile.cer or openssl then the status of the revoked certificate would remain ‘Verified’/’Good’ until I reboot the server that hosts the certification authority and the OCSP Responder…. Is there something that I have missed?