Even if an online responder is present in the network and the certification authorities have entered its address in the Authority Information Access (AIA) extension of the issued certificates, it is not always guaranteed that the online responder is actually used.
One variable here is the "Magic Number", which is present on every Windows operating system. It causes the system to fall back to blacklists (if present) if requests are made too often via OCSP for the same certificate authority.
The Online Responder (Online Certificate Status Protocol, OCSP) is an alternative way of providing revocation status information for certificates. Entities that want to check the revocation status of a certificate do not have to download the complete list of all revoked certificates thanks to OCSP, but can make a specific request for the certificate in question to the online responder. For a more detailed description, see the article "Basics Online Responder (Online Certificate Status Protocol, OCSP)„.
The point is that as the number of OCSP requests for certificates from the same certificate authority increases, it is often efficient to download the certificate revocation list once instead and use it locally.
A common example is the domain controller that processes smart card logins from users. Here, one or a few servers check the revocation status for very many certificates coming from the same certificate authority.
Adjust default value
The default value for the "Magic Number" is configured to 50 requests and can be adjusted via group policy.
The setting is located under "Computer Configuration" - "Windows Settings" - "Security Settings" - "Public Key policies" - "Certificate Path Validation Settings".
In the "Revocation" tab, the option "Prefer CRL over OCSP responses if number of cached OCSP responses corresponding to the same CRL distribution point is greater than" can now be configured.
The highest value that can be entered is: 2147483647.
When this group policy is applied, a registry value named "CryptnetCachedOcspSwitchToCrlCount" is created in the following registry key:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
Related links:
External sources
- Optimizing the Revocation Experience / Defining Default Behavior (Microsoft)
- OCSP Magic Number (PKI Solutions, Inc.)
English 
Deutsch
4 thoughts on “Die „Magic Number“ für den Onlineresponder konfigurieren”
Comments are closed.