Configure the "Magic Number" for the online responder

Even if an online responder is present in the network and the certification authorities have entered its address in the Authority Information Access (AIA) extension of the issued certificates, it is not always guaranteed that the online responder is actually used.

One variable here is the "Magic Number", which is present on every Windows operating system. It causes the system to fall back to blacklists (if present) if requests are made too often via OCSP for the same certificate authority.

The Online Responder (Online Certificate Status Protocol, OCSP) is an alternative way of providing revocation status information for certificates. Entities that want to check the revocation status of a certificate do not have to download the complete list of all revoked certificates thanks to OCSP, but can make a specific request for the certificate in question to the online responder. For a more detailed description, see the article "Basics Online Responder (Online Certificate Status Protocol, OCSP)„.

The point is that as the number of OCSP requests for certificates from the same certificate authority increases, it is often efficient to download the certificate revocation list once instead and use it locally.

A common example is the domain controller that processes smart card logins from users. Here, one or a few servers check the revocation status for very many certificates coming from the same certificate authority.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Adjust default value

The default value for the "Magic Number" is configured to 50 requests and can be adjusted via group policy.

The setting is located under "Computer Configuration" - "Windows Settings" - "Security Settings" - "Public Key policies" - "Certificate Path Validation Settings".

In the "Revocation" tab, the option "Prefer CRL over OCSP responses if number of cached OCSP responses corresponding to the same CRL distribution point is greater than" can now be configured.

The highest value that can be entered is: 2147483647.

When this group policy is applied, a registry value named "CryptnetCachedOcspSwitchToCrlCount" is created in the following registry key:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config

Related links:

External sources

en_USEnglish