Strange OCSP response by the Online Responder


hi,
when run certutil -verify -urlfetch on 2 different certificates issued same issuing ca, response quite different , raised concern online responder not working should. here 2 outputs..

output nr1.

crl (null):
issuer: cn=server fqdn
thisupdate: 2015-04-14 21:05
nextupdate: 2015-04-22 09:25
39c5508bc895eef3e97d8b611d1fa1fc17d3db19
issuance[0] = 1.2.752.113.10.1.1.1.1 vgc-pki cps
application[0] = 1.3.6.1.5.5.7.3.2 client authentication
application[1] = 1.3.6.1.5.5.7.3.1 server authentication

output nr2.
crl 323e:
issuer: cn=ca logical name
thisupdate: 2015-04-14 22:05
nextupdate: 2015-04-22 10:25
222195864225835a025a52015d5dca5fc2c71f30
issuance[0] = 1.2.752.113.10.1.1.1.1 vgc-pki cps
application[0] = 1.3.6.1.4.1.311.54.1.2 remote desktop authentication

why first output missing crl number , why produce response server fqdn , not ca logical name?

by way, running 2012 r2 on , online responder.

please me understand.

kind regards
mikael

hi mark

thanks help. here response mark gave.

mikaels question:

hi mark,

please, through them , see if there clue in them issue. honest, don’t know if problem or not online responder.

when produced 2 outputs started first running certutil –verify –urlfetch against certificate vgwb0195 , moved on certificate vgts0034.

like can see in output first certificate vgwb0195, has no crl version number , issuer fqdn of oscp responder. second certificate vgts0034 has crl version number , ca name in issuer field.

when later run certutil –urlcache * delete clear cache , opposite order vgwb0195 1 has crl version number , and ca name issuer.

can explain? bug?

marks answer:

this normal, seeing effects of local caching mechanism. also, delete urlcache ineffective , replaced many years ago syntax:



Windows Server  >  Security



Comments

Popular posts from this blog

Azure MFA with Azure AD and RDS

Failed to setup initiator portal. Error status is given in the dump data.

Invalid pointer on gpresult /h gpreport.html