Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

4 Protocol Examples

An administrator needs to enable the responder to create OCSP responses for clients requesting revocation status for certificates issued by a CA called "CA1", which runs on a machine called "Server1".

CA1 is configured to issue certificates based on a certificate template called "OCSPResponseSigning".

This means that the administrator needs to create a new revocation configuration on the responder, configured for the CA certificate of CA1.

  1. The client needs to query all the revocation configuration IDs currently configured on the responder to ensure that it does not overwrite an existing entry. The client queries the responder revocation configuration list using the GetOCSPProperty method, with bstrEntryName of "CAEntries".

  2. The server returns the list of revocation configuration IDs currently on the server as the variant referenced by parameter pEntryValue (for each revocation configuration in RevocationConfigurationList, there should be an element in the safearray referenced by pArray that contains the BSTR for the Unicode string value of the RevocationConfigurationId).

  3. The client reads the list of revocation configuration IDs returned by the server and creates a unique RevocationConfigurationId (that is, not a duplicate of any existing entry).

  4. The client then constructs a variant of type VT_ARRAY|VT_VARIANT whose pArray member points to a two-dimensional array. The two-dimensional array will have one element of the first dimension (that is, one row) for each revocation configuration property the administrator wishes to set. The array will have two elements of the second dimension (that is, columns) for each element of the first dimension: one containing a variant of type VT_BSTR whose bstrVal contains the name of a revocation configuration property, and one containing a variant with the value for that property. The property value variants are constructed as follows:

    1. CA Certificate property:

      1. vt member is VT_ARRAY |VT_VARIANT.

      2. pArray references a single dimension safearray with one element for each byte of the ASN1 DER encoded CA certificate for CA1.

    2. SigningFlags property:

      1. vt member is VT_I4.

      2. lVal contains the value whose hex representation is 0x0000025d. This means that the following Signing Flags are set (defined in section 3.2.4.1.3):

        1. 0x01 – silently acquire private key

        2. 0x04 – auto-use renewed signing certificate

        3. 0x08 – signing certificate signed by CA certificate key

        4. 0x10 – automatically look for an OCSP cert

        5. 0x40 – responses include key hash of signing certificate

        6. 0x200 – enroll for a signing certificate from CAConfig, using SigningCertificateTemplate

    3. ProviderCLSID property:

      1. vt member is VT_BSTR.

      2. bstrVal contains the BSTR representation of the Unicode string representation of "{4956d17f-88fd-4198-b287-1e6e65883b19}".

    4. Provider property:

      1. vt member is VT_ARRAY|VT_VARIANT.

      2. pArray points to another two-dimensional array with property name and property value pairs like those described for the containing variant array.

        • BaseCrlUrls property:

          1. vt member is VT_ARRAY|VT_BSTR.

          2. pArray points to a single dimension safearray, in which each element is a BSTR representation of the Unicode representation of a URI where the responder can contain a CRL published by CA1. In this example, the value "http://CA1.Server1.contoso.com/CRL/CA1.crl" is used.

    5. SigningCertificateTemplate:

      1. vt member is VT_BSTR.

      2. bstrVal is the BSTR representation of the Unicode string representation of "OCSPResponseSigning" (the template name).

    6. CAConfig:

      1. vt member is VT_BSTR.

      2. bstrVal is the BSTR representation of the Unicode string representation of "Server1\CA1", the CA configuration string.

  5. The client calls the SetCAConfigInformation method on the server, passing the newly generated RevocationConfigurationId as the bstrCAId parameter, and a pEntryValue pointing to the variant constructed in step 4, containing configuration values for the new revocation configuration.

  6. The server creates the new revocation configuration and returns S_OK.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.