The CRL's and also the OCSP responses are signed by the CA. This means any kind of manipulation will already be detected even if the CRL or OCSP response is transferred using an insecure transport. Thus the protection against tampering which is offered by https is not needed. The “chicken and egg” problem Tom mentioned in his comment on Steffen's answer is that using HTTPS to check for CRL/OCSP responses when wiring up HTTPS connections would create an infinite loop of HTTPS connections which in turn have to check for CRL/OCSP responses. OCSP over HTTPS is technically non-working solution, because it requires a SSL certificate that is ussued by a another authority, because SSL certificate MUST be checked for revocation. If SSL cert is issued by the same authority as certificate being checked, then you will never reach OCSP service. When usin 3rd party certificate, you will be redirected to a OCSP service provided by a 3rd party authority. If 3rd party OCSP uses SSL, then you are starting over, another authority must be used to provide SSL certificate and this will lead to a infinity request sequence. Thereby, OCSP over HTTPS is really bad solution. Not sure, but apparently CryptoAPI will permanently fails facing SSL handshake request during OCSP query. And the document you provided is about nothing. There is no security risk if someone changes OCSP response by removing response data and modifying it to tryLater status. In any cases when status is not Successful, OCSP service is considered unreliable and revocation provider will move to another OCSP service (that is specified in the AIA extension) or fall back to CRL.
1) You will place the OCSP server itself in the DMZ and create firewall rules to allow:
– Domain Membership in the uw.loc domain ( to allow enrollment of the OCSP certificates from the internal CA) – internal access to the OCSP server using TCP 80 (HTTP) – External access from the internet to TCP 80 (HTTP) 2) You will place the OCSP server on the internal network, and place a load balancer in the DMZ (or publish using a product like ISA) – Need to publish TCP 80 from Internet to load balancer
– Need to publish TCP 80 from the internal network to the load balancer https://social.technet.microsoft.com/Forums/lync/en-US/e8e3cb56-bfb9-4bab-91b5-de7747361fbb/ocsp-in-dmz?forum=winserversecurity
How to setup OCSP Web Proxy inside DMZ for OCSP Internet Access?