Monday, 5 September 2011

Trust me, I'm a CA - Part 4. The joy of certificates - Part 6

This is a follow on post from this post.

I have finally managed to get this working. The issue is better explained with pictures, for reasons that soon will become obvious:



You can see how the OCSP is now active and there is a url for it, see this link on how to set this up. The thing I don't quite understand is that before it was active, client certificates would not work because they could not get to the CA to confirm whether they were revoked, and thus IIS refused to use them but once I configured it even with the CA web server down, it works. I've restored the CA back to pre-OCSP and it still works.

I'm afraid that this post poses more questions that answers, but that is life sometimes I guess, when one is learning. More reading about CAs here I come.

No comments:

Post a Comment