ADCS Online Responder (OCSP) doesn't real-time

Question

I installed the AD, AD CS and OCSP on the same machine in my lab and configured. I then use C# to have a OCSP client so that it can send the revocation check request and parse the response for a particular certificate installed on local machine. The C# code was built by using the Bouncy Castle assembly (http://www.bouncycastle.org/csharp/)

The problem is that, if I issued a certificate and revoked it on AD CS, and published the CRL and Delta CRL, my OCSP client still said this certificate is good, until I clicked the Refresh Revocation Data in AD CS -> OCSP -> Array Configuration.

I had configured the provider of my revocation configuration in OCSP to my local CRL through LDAP://XXXX and

I also specified my revocation provider to refresh the CRLs per 5 mins.

Is there any way I can set my OCSP "real-time", which means after I revoked a certificate, and then my OCSP client will know that it had been revoked. Alternatively, my OCSP can get the CRL automatically instead of clicking the Refresh Revocation Data manually.

Answer 1

OK I finally got how to make it as real time as possible, even though not that "real time". The OCSP service have its own cache, and it seems that the revocation status for a certificate will be cached until the CRL expired. In my lab my CRL validity period was 2 days this means even though I revoked a certificate and published the CRL and set the OCSP refresh it every 5 mins, the original status would be in OCSP cache until 2 days later. But if I clicked the Refresh Revocation Data the OCSP will clear all caches and restart the application pool.

The solution is, first I need to enable the NONCE extension in the OCSP service. So that when I sent the OCSP request I can take some random information in the NONCE. And in the OCSP service if it found that the request has ONONCE information it will NOT use any cache. So my revocation data will be refreshed after the 5 mins.

Answer 2

I have meet the same issue on "Windows 2012 ADCS Online Responder". I have put the "web proxy cache entries" to 0, restarted the "online responder" service and now I have a "real time" behavior.

During my tests, I have also validated the same behavior that you have mentioned, i.e. the entries in the OCSP web proxy cache have a lifetime synchronized with the lifetime of the OCSP associated CRL based on date/time informations specified into the field "Next CRL Publish" of the CRL.

As I haven't find any informations in order to define a different policy for the expiration of this cache, I have posted a question about this point: Windows ADCS Online Responder - Define web proxy cache entries expiration delay