2

I set up a root and intermediate CAs with OpenSSL and started issuing server certificates. For MS RDP (RemoteApp) it required OCSP, so I also set up an OCSP responder with OpenSSL. Testing with openssl ocsp command worked fine, but using MS RDP or even a webserver (IIS) with that issued certificate being accessed by Firefox complained the CA could not be contacted.

I posted everything here, but after a while I realized OpenSSL OCSP manual says this:

The OCSP server is only useful for test and demonstration purposes: it is not really usable as a full OCSP responder. It contains only a very simple HTTP request handling and can only handle the POST form of OCSP queries.

So, I´m guessing I should not use OpenSSL for an OCSP responder? What is the best way to set up one then, preferably using open software and CentOS?

Adriano_pinaffo
  • 322
  • 1
  • 5
  • 23
  • As @grawity states below, RDP doesn't require OCSP at all. But if you insist on using one, Primekey's EJBCA has a responder in their open-source and enterprise version. You'd be better off using a CA application (such as EJBCA) rather than OpenSSL if you're serious about security. – garethTheRed Nov 19 '18 at 16:55
  • 1
    In fact, RDP doesn’t require OCSP but RemoteApp, which uses RDP requires. I was checking EJBCA but I was trying to stay away from Java. Then I saw OpenCA and DogTag. I may try to use one of them. – Adriano_pinaffo Nov 19 '18 at 17:39
  • DogTag also requires Java unfortunately :-( – garethTheRed Nov 20 '18 at 08:36
  • Although I'm not directly answering your question, I've just installed RemoteApps on a Server 2008R2 lab (it was convenient) and there was no requirement to use OCSP. Which version of Windows are you using? – garethTheRed Nov 20 '18 at 21:23
  • @garethTheRed, The server is Windows 2012R2. I was sure to add a certificate without the "Authority Information Access:" extension. I added it to "RD Connection Broker - Enable Single Sign On" and "RD Connection Broker - Publishing". Still, when I try to connect it says "A revocation check could not be performed for the certificate" – Adriano_pinaffo Nov 28 '18 at 18:56
  • Authority Information Access is used to build the certificate chain in the event that the server doesn't send the full chain. You need the CRL Distribution Point extension to get revocation working. – garethTheRed Nov 28 '18 at 22:06

0 Answers0