Changed the magic number to 5 on our test computer.Issued 6 certificates and exported to a p7b file.Configure our CA to use OCSP and an HTTP based CDP location.To see how this process works and demonstrate the magic number at play, we configured a test system with a magic number of 5. The registry setting can be done on a non-domain joined computer, this would affect only the machine that has the registry change. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config registry key. An OCSP query is approximately 2 KB, and after validating 20,000 certificates the RADIUS server has transferred and cached approximately 40 MB of OCSP response data versus downloading the 3 MB CRL.Ĭhanging the default Magic Number can be accomplished through a group policy setting or locally in the registry. For example, assume you are using certificates for Wi-Fi or VPN authentication and your CRL is 3 MB in size. There is a reason why Microsoft created the Magic Number – to prevent excess data transfer for OCSP in some scenarios. This can render the entire OCSP infrastructure as unused (for the most part) as systems switch to CRLs and your OCSP servers look happy and ready to do more work. In fact, the only way you would know that the change had occurred is to watch network traffic to see the transfer of the CRL (and related cessation of OCSP queries). This setting is particularly nefarious as there is no logging or detectable change to the client. If you are using stateful responses, the switch to CRL checking will cause systems to no longer detect fraudulent certificates. If you have a large CRL, that could cause timeouts or certificate revocation failures – the very reason you implemented OCSP to begin with. The OCSP Magic Number presents a significant security concern to any organization using OCSP as it quietly stops the use of OCSP queries and switches to using CRLs. Many organizations implement OCSP because of large CRLs or a desire to detect fraudulent certificates with stateful responses – provided by Hotfix 2960124.
An OCSP Responder providing revocation details for multiple CAs will be counted based on the number of cached responses per CA. This will occur if the number of cached OCSP responses meets or exceeds a magic number – by default this is set to 50. The magic number is a value that states when CRLs will be processed over OCSP, specifically it is when the total number of cached OCSP responses from a single OCSP responder URL on behalf of a single certificate authority will stop performing OCSP and start processing CRLs.
0 kommentar(er)
