• Post Reply Bookmark Topic Watch Topic
  • New Topic

OCSP revocation checking  RSS feed

 
Kendrick Lin
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am working on trying to verify that a DoD CAC card (smart card) certificate is valid and checking whether or not it has been revoked. I need to communicate with their OCSP responder and I found an API from bouncycastle that helps me generate the request and read the response to the OCSP responder. The request function requires that I supply the root certificate, but I am not sure how to find the root certificate. Is something I have to find somewhere or is something already contained within the CAC card? The CAC card has 3 security certificates, but I don't think any of them are the root certificates as I don't know how to determine this. I don't have a lot of experience with PKI security, so I need a little bit of guidance on that part. Anybody know how to obtain the root certificate?
 
Des Robin
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Kendrick

This information is quite likely on a local intranet. I googled around the topic and found the following PDF which appears to cover the use of PKI from the DoD perspective:

http://www.disa.mil/Services/Network-Services/UCCO/~/media/Files/DISA/Services/UCCO/APL-Process/UC_DoD_PKI_Guide.pdf

Thanks.
 
Campbell Ritchie
Marshal
Posts: 56595
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And welcome to the Ranch
 
Kendrick Lin
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Des Robin wrote:Hi Kendrick

This information is quite likely on a local intranet. I googled around the topic and found the following PDF which appears to cover the use of PKI from the DoD perspective:

http://www.disa.mil/Services/Network-Services/UCCO/~/media/Files/DISA/Services/UCCO/APL-Process/UC_DoD_PKI_Guide.pdf

Thanks.


Thanks for the response Des. I have downloaded a set of certificates called "DOD CA-19", "DOD CA-20", "DOD CA-21", etc from a link that I found. If you open the certificate contained in the CAC card and look at the "Issuer" information, the CN is "DOD CA-20". The OSCP server requires that I include the root certificate with my request. Does this mean that I need send the downloaded certificate called "DOD CA-20" as my root certificate?
 
Mike Bu
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kendrick Lin wrote:
Des Robin wrote:Hi Kendrick

This information is quite likely on a local intranet. I googled around the topic and found the following PDF which appears to cover the use of PKI from the DoD perspective:

http://www.disa.mil/Services/Network-Services/UCCO/~/media/Files/DISA/Services/UCCO/APL-Process/UC_DoD_PKI_Guide.pdf

Thanks.


Thanks for the response Des. I have downloaded a set of certificates called "DOD CA-19", "DOD CA-20", "DOD CA-21", etc from a link that I found. If you open the certificate contained in the CAC card and look at the "Issuer" information, the CN is "DOD CA-20". The OSCP server requires that I include the root certificate with my request. Does this mean that I need send the downloaded certificate called "DOD CA-20" as my root certificate?


Hello Kendrick,
Have you made the DoD's OCSP work for you?
Please share.

Thanks.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!