måndag 9 december 2013

CRL/OCSP cache Control


Once again the Process Monitor solved the case. This time I had a case when I was implementing an online responder at a customer site. When we did some initial testing the responder cluster seemed to give up after few hundred queries. The solution we had planned demanded a high available responder and very high performance. The customer site had no way of reaching the published CRL's in the certificate CDP. This is why we chose to install an onsite online responder to serve locally. All clients and servers got the responder setting specified through gpo's


By using this PS-script I was able to do thousands unique queries to the OCSP. The script rely on certificate files residing in a local folder.


The result was always the same. When the cache entries value exceeded 500 from the same CA the client stopped query the OCSP.






The GPO-setting specifying the amount of queries the client should do before switching to CRL did not give any response. It did not change the behavior at all.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config
CryptnetCachedOcspSwitchToCrlCount


I did contact MS-support for some assistance in this case and they really could not help. Then I got the idea to try 'Process Monitor' to see what really happened. Right away the application showed me that that it tried to read a registry key that was missing.

   


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\
CryptnetMaxCachedOcspPerCrlCount
This value seemed pretty exactly what I was looking for, but undocumented. Trying to regulate the behavior of the crl-cache by creating this key and setting its value to 2000 I could run my tests without any errors. Now we can use the responder without any problem.


Once more I did contact Microsoft Support for an official statement about using the value. This is their response.
"As indicated by these default values, we recommend the use of a single CRL instead of thousands of OCSP responses. Each chain build will require an online network retrieval. These individual OCSPs will be cached in the login process and file system. Assuming 2K per OCSP response this would be 2M bytes per 1K users.
You are probably OK using OCSP if the number of users is under 10K. "