Share via

Why is 'Refresh Revocation Data' in OCSP Online Responder not updating the revoke status in its responses?

Anonymous
2024-01-11T22:39:16+00:00

Problem:

Revoking / Unrevoking a certificate in certsrv does not seem to refresh online responder. OCSP responder hosted on AD CS still responds to requests with Revoked status.

Some background:

I am testing a small application that runs on Windows and Macbook, akin to an AV agent. It gathers laptop properties and communicates back with a server (a SIEM); server cert is signed by AD CS. I am testing OCSP for that cert.

Before revoke, the application I was testing worked fine. Packet captures on Server 2019 port 80 showed the OCSP responses 'good' as expected. So that was my baseline/good sample. It went downhill from there when I started testing revoke & unrevoke. Both of which seems to take in certsrv, but is not reflected in timely manner at the Online Responder in AD CS.

Steps for repro:

Example, after unrevoking the cert in certsrv, I right-licked Revoked Certificates folder, clicked Publish.

Then, opened ocsp online responder on AD CS server. Right-clicked on Array Configuration > Refresh Revocation Data.

At this point, I assumed if I used certutil to verify the cert against OCSP, I would get a good response, but instead got "Certificate is REVOKED".

Example of command in cmd I used to verify the revocation status: certutil -f -urlfetch -verify C:\Users\myusername\Downloads\unrevokedCert.cer

  • unrevokedCert.cer, is the certificate that was just unrevoked in certsrv.

Troubleshooting:

  • Enabled NONCE support on AD CS OCSP responder, issue persisted. Packet captures from Windows client request to responder showed Online Responder replying with revoke status.
  • Setting 'Cache entries' to 0 on the OCSP responder properties, issue persists.
  • Restarted Server 2019, issue persists.
  • Clearing process memory cache of OCSP data from Windows 10 (client) and Server 2019, issue persists, e.g. certutil –setreg chain\ChainCacheResyncFiletime @now.
  • Clearing disk cache of OCSP urls from Windows 10 (client) and Server 2019, issue persists, e.g. certutil -urlcache * delete

More info:

Revocation Provider Properties - > Base and Delta CRLs as a single entry each:

ldap:///CN=mydomain-serverfqdn-CA,CN=Server2019,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mydomain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Refresh CRLs based on their validity periods is unchecked.

Update CRLs at this refresh interval (min): 10

Local CRL tab left default, unconfigured, nothing in there.

Test laptop runs Windows 10 Version 10.0.19045 Build 19045

Server 2019 Standard hosting AD CS and OCSP responder is Version 10.0.17763 Build 17763

Are there any local OCSP response caches that I missed on Server 2019 & Windows 10 laptop? If so, where are they, and how do I best clear them?

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-01-12T04:27:51+00:00

    Hello Trung Nguyen4,

    Thank you for posting in Microsoft Community forum.

    How many minutes did you set on the option "update CRLs at this refresh interval (min)".

    If it is 15 mins, you can check revocation status after 15 mins.

    https://answers-afd.microsoft.com/static/images/image-not-found.jpg
    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Anonymous
    2024-01-12T04:48:38+00:00

    Mine is set to the default 10 min, however, I do not have a second Base CRL entry like yours. Mine only has the ldap:// entry.

    At this time, it is past the 'nextUpdate' time seen in previous OCSP responses, and now I see the Online Responder handing out up-to-date status of the cert in AD CS.

    Earlier today, before 22:15:55 in highlight, whenever I run, certutil -f -urlfetch -verify C:\Users\myusername\Downloads\unrevokedCert.cer, it kept saying Revoked, now a few minutes past the nextUpdate timestamp, it is returning "Leaf certificate revocation check passed", and on packet capture at Server 2019 side where Online Responder is, I saw 'good' in the OCSP response to the certutil test.

    This time, there is a new 'nextUpdate' timestamp, schedule exactly 24h from the last.

    If I can find out how to configure Online Responder to reduce this 'nextUpdate' time, it may solve my issue.

    0 comments
  3. Anonymous
    2024-01-12T06:34:49+00:00

    Hello Trung Nguyen4,

    Thank you for your reply.

    Maybe you can check the publication interval by right clicking "Revoked Certificates" container.

    You can see publication interval and next update time here.

    Image

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments