Microsoft OCSP Responder support for sha384 OCSP Requests (responses work).

Joe Fowler 6 Reputation points
2021-07-16T16:35:34.26+00:00

Due to compliance issues some of my devices are generating ocsp requests which hash OCSP request information using sha384 as the algorithm. Currently the Microsoft OCSP responder (at least in my current configuration) does not support those requests. I'm running Windows Server 2016 Version 1607 (OS Build 14393.3930). I fully understand that the OCSP response is configurable and the sha2 suite works fine for responses. This is the request being rejected by the OCSP Responder because it apparently doesn't support that algorithm for the request. I have verified that the request works against other OCSP Responders, that do support sha384 hashed OCSP requests.

Is there a configuration or minimum baseline for this to be supported or is there a registry hack or is this something that currently isn't supported by the product?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,053 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Daisy Zhou 23,346 Reputation points Microsoft Vendor
    2021-07-19T02:19:07.8+00:00

    Hello @Joe Fowler ,

    Thank you for posting here.

    1-Are some of your devices you mentioned non-Windows devices?

    2-Is your Windows CA configured with SHA 256 or SHA 384?

    If your Windows CA is not configured with SHA 384, you can configure your Windows CA with SHA 384 and set up Windows OCSP in your lab to see if it helps.

    Public Key Infrastructure Part 8 – OCSP responder
    https://www.tech-coffee.net/public-key-infrastructure-part-8-ocsp-responder/

    Q: Is there a configuration or minimum baseline for this to be supported or is there a registry hack or is this something that currently isn't supported by the product?
    A: I am sorry, after my research and my knowledge, I cannot find such reference or any information about it.

    Hope the information above is helpful to you.

    Should you have any question or concern, please feel free to let us know.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Joe Fowler 6 Reputation points
    2021-07-19T16:13:15.77+00:00

    The devices are network vpn connection points. Cisco , Aruba...

    The CA is not a Windows CA, but it is SHA384 from the root all the way down to the device / ocsp responder certificates. I created a custom request on the reponder and issued the responder certificate off the CA(s). The responder works using certutil -url, and answers to opensll requests. Testing the MS OCSP responder it is only capable of consuming OCSP requests where the hashing algorithm in the request is SHA1, but it will reply to a SHA1 request signed using SHA384.

    I guess you don't understand my question.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.