Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Online Certificate Status Protocol (OCSP)

Verifying Integration

search

Verifying Integration

Generate a Certificate Request

  1. Log on to the OCSPCL machine and generate certificate requests using the below template structure. (Try to use different vendors' cryptographic service providers).

    [Version]
Signature = "$Windows NT$"
[NewRequest]
Subject = "CN=TEST-CA"
HashAlgorithm = SHA1
KeyAlgorithm = RSA
KeyLength = 2048
ProviderName = "CipherTrust Application Protection Key Storage Provider"
KeyUsage = 0xf0
MachineKeySet = True
RequestType = PKCS10
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
[Extensions]
1.3.6.1.5.5.7.48.1.5 = Empty

  2. Copy and paste the above template into any text editor and ensure that Provider Name variable is specified correctly (with the speech marks around it).

    Once the template has been successfully setup, save it as test.inf on C:\ drive.

  3. Open the command prompt and go to local drive (In this case C:). Type certreq -new test.inf test.req command in the command prompt. A certificate request called test.req is generated in C:\ drive.

  4. Execute certreq -submit -attrib "CertificateTemplate:WebServer" test.req command in the command prompt. A pop up window confirming which CA to use is displayed. Click the OCSPCA entry, and click OK. A file dialog to save the certificate in a file is displayed.

  5. Save the certificate file and click OK. After a short pause, a message Certificate Successfully Generated displays on the command prompt and a certificate file called test.cer is generated on the C:\ drive.

Test the certificate's origin

  1. Log on to OCSPCA and go to Start > Control Panel > Administrative Tools > Certification Authority.

  2. In the Certification Authority snap-in, click Certification Authority (Computer)/CA name/Revoked Certificates in the console tree to publish a new CRL. Then, right-click on the on the Revoked Certificates folder, point to All Tasks, and click Publish.

  3. Open the Certification Authority snap-in and right-click on the CA, to remove all CRL distribution point extensions from the issuing CA.

  4. In the pop-up menu, click Properties.

  5. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).

  6. From the list, click any CRL distribution points, click Remove, and click OK.

  7. Click Apply. A pop-up box displays stating that you need to restart the service.

  8. Click OK to restart the service.

  9. Using the certificate called test.cer that was generated earlier on the OCSPCL machine, verify that clients can still obtain revocation data. On the OCSPClient, execute certutil -url test.cer command.

  10. In the URL Retrieval Tool dialog box, click the radio button next to CRLs (from CDP) and click Retrieve. Click the radio button next to OCSP (from AIA) and click Retrieve. The list should contain an OCSP entry showing the web address of your OCSP server.

OCSP Verification

  1. Open the command prompt and select the local drive (in this case C:). Enter certutil -verify test.cer > test.txt in the command prompt window.

  2. When the Verify command has been completed, open the test.txt file on C:\ drive. It should contain information in the following format:

    Issuer:
CN=office-RCA-CA
DC=office
DC=com
Name Hash(sha1): 5b9cbd7dba2d2222e872195a05af3bd907faa609
Name Hash(md5): 51b176fc074870c3d24732cc59168db4
Subject:
CN=TEST-CA
Name Hash(sha1): ae10d188e4406b3ebab8a35f02f392b4dac5f40f
Name Hash(md5): 49b4715b6418d6b13827a217f251d6f0
Cert Serial Number: 1200000004058368d22026da64000000000004
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 17 Minutes, 42 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 17 Minutes, 42 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=office-RCA-CA, DC=office, DC=com
NotBefore: 7/29/2020 2:05 AM
NotAfter: 7/29/2022 2:05 AM
Subject: CN=TEST-CA
Serial: 1200000004058368d22026da64000000000004
Template: WebServer
Cert: 2055d116a0e0917279f744f27bc5b3f7c5f2d853
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 02:
Issuer: CN=office-RCA-CA, DC=office, DC=com
ThisUpdate: 7/29/2020 2:09 AM
NextUpdate: 8/5/2020 2:29 PM
CRL: 94bc3b44164475210d2b267f188816d107062c5e
Delta CRL 02:
Issuer: CN=office-RCA-CA, DC=office, DC=com
ThisUpdate: 7/29/2020 2:09 AM
NextUpdate: 7/30/2020 2:29 PM
CRL: 2ccdfce11ccaf1a2a3aaa551869c646b66ce6d6d
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=office-RCA-CA, DC=office, DC=com
NotBefore: 7/28/2020 2:38 PM
NotAfter: 7/28/2025 2:48 PM
Subject: CN=office-RCA-CA, DC=office, DC=com
Serial: 5b5d074f8a9324ba4211e446bbbd2081
Template: CA
Cert: e7aa7a30b718b38d6a0f536c9767ca18c6176087
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
Chain: 8baae1e43780b359bcfa9f4381e3478f46ebcd90
Full chain:
Chain: 42f943fe5ba0a70d7db4f2d9c96d7a91dc855f5a
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

  3. Ensure that last section of the verify command's output reads something like this:

    Verified Issuance Policies:None Verified ApplicationPolicies:
1.3.6.1.5.5.7.3.1 ServerAuthentication Leafcertificate revocation checkpassed
CertUtil: -verify command completed successfully.

This shows that the OCSP Server is working correctly. The most important part of the above example is the Leaf certificate revocation check passed line, as this shows the OCSP server is returning the certificate status as 'Good'.

Note

If the log generated by the verify command does not include the above section (or similar) and has errors in the output, then restart the OCSP server and client machine. Run the verify command again on the certificate file.

On this page