This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 15%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hi everybody
Recently we are using Microsoft ADCS on windows server 2008 in our organization. we have an OSCP server beside our enterprise CA server. We have just noticed that the OCSP is CRL based in Microsoft CA and so as OCSP gets access to the CRL periodically sometimes OCSP returns "good" for revoked certificates because they are revoked between the two points of time that OCSP gets access to the CRL. It seems that there is a fix or update to solve this issue but I can not find the download link. can anyone help me. By the way, we can not change the version of our OS.
There is no update for this behavior. The behavior is a fundamental property of CRL-based OCSP server. In order to reduce the load, OCSP caches the referenced CRL for a period specified in CRL (Next Update) and revocation is not detected immediately. In revocation configuration provider settings you can specify how often OCSP should check for CRL updates:
do not set too small value, because OCSP can be overloaded with CRL download and update operations.
we can not change the version of our OS
interesting, why?