locked
OCSP Request RRS feed

  • Question

  • Hi,

    I have a requirement wherein we need to use OCSP for checking revocation status of certificates.
    I am using the API CertGetCertificateChain() with flag 'CERT_CHAIN_REVOCATION_CHECK_CHAIN' at the client side.

    However with Wireshark, I see the below http GET requests going out :

    HTTP GET  ocsp/xxxxxxxxxxxxxxxx%2xxxxxxxxfM%2B9uVNwy%2BpGlchAVpACCjKtDpoAAAAAAEI%3D HTTP/1.1
    HTTP GET /CertEnroll/abcdefg-WIN-ABCDEFG-CA.crl HTTP/1.1

    I was expecting to see only the  'http get ocsp' request, as I understand this is the request to be send to the OCSP Responder to get Revocation status of certificate by OCSP.

    The second get request pointing to the base CRL looks like status of Certificate is being checked using CRL.

    Can anybody please clarify if this is expected or if there is any registry change or configuration change that i should be doing so that only the http get ocsp request goes through.

    Thanks.
    Monday, August 22, 2011 4:41 AM