New Certutil Argument – DownloadOCSP and Details of Caching issue with -Verify

During the development of my new ADCS Advanced PKI Training Class, I was working on creating a process to demonstrate how to manipulate the OCSP caching behavior in Windows. If you aren’t already aware, Microsoft OCSP responders use the expiration date of the authoritative CRL used for their answers as the expiration date (Next Update field) in the OCSP responses they send. This means clients cache OCSP responses for a considerable amount of time depending on how long the CA is creating it’s CRLs for. There is no native way to change this expiration process.

So working out a simple process to get rid of this caching behavior – or reducing it to something much more timely, meant working with the OCSP responses on client computers. When I was working with the OCSP cache files – which you can view with certutil -urlcache OCSP, I noticed an interesting behavior. When I would examine a certificate with a known OCSP extension with certutil -verify -urlfetch <samplecert.crt>, the output would show that an OCSP look was perform and the certificate was valid, but strangely, there was no resultant OCSP response in the cache.

To demonstrate this, I exported an SSL certificate from Amazon and ran a verification of the certificate:

C:\Users\Mark\Downloads>certutil -urlfetch -verify amazon.crt > output.txt

In the output file, you can plainly see:

Issuer: CN=Symantec Class 3 Secure Server CA – G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
NotBefore: 5/17/16 5:00 PM
NotAfter: 12/30/16 4:59 PM
Subject: CN=www.amazon.com, O=”Amazon.com, Inc.”, L=Seattle, S=Washington, C=US
Serial: 7e499645909b4c62b46fa8c5268d189e
SubjectAltName: DNS Name=amazon.com, DNS Name=amzn.com, DNS Name=uedata.amazon.com, DNS Name=us.amazon.com, DNS Name=www.amazon.com, DNS Name=www.amzn.com, DNS Name=corporate.amazon.com, DNS Name=buybox.amazon.com, DNS Name=iphone.amazon.com, DNS Name=yp.amazon.com, DNS Name=home.amazon.com
Cert: 70ccf54e82ffb5d4d2dbcce89c5390fcf6202084
….
—————- Certificate OCSP —————-
Verified “OCSP” Time: 0
[0.0] http://ss.symcd.com

But when I view the cache immediately afterwards, I expected to see an OCSP response – But I didn’t

C:\Users\Mark\Downloads>certutil -urlcache OCSP

**** OFFLINE ****

CertUtil: -URLCache command completed successfully.

 

How to explain this? Well it took some investigation and some connections and I found that the certutil commands that perform certificate validation also raise a flag to CAPI2 that instructs it not to cache and results. An important thing to know, but more immediately, it meant I had to find a new way to work with OCSP responses.

Luckily those same contacts pointed out a little know new argument in Certutil, the downloadocsp argument. It had been added with Windows 10 – so it wasn’t yet in the Server OSes (other than Server 2016 which is in beta). I’ll assume that’s why I hadn’t seen it – right? We can all go along with that right?

So, what does this lovely new command do? It allows you to create a folder full of one or more certificates that contain an OCSP extension. Then create another folder for results. The argument will go through each certificate and perform an OCSP query against the defined OCSP responder, and download (cache) the result in the output results folder. Once there,  you can use the results for OCSP stapling, or more importantly, you can examine the OCSP response itself. It also means, I can instruct the client to perform an OCSP query on demand and subsequently review the results.

So here is how I used it in my lab – using the Amazon certificate as an example:

  1. Create a folder called certificates, and place any certs you want to compare there.
  2. Create a second folder called results in the same location as the other folder
  3. In a command prompt, go to the folder location with both of the above folders and run certutil -downloadocsp certificates results downloadonce
  4. Once the command completes, you will have a result file in the results folder for each certificate that was examine.
  5. Use the command certutil <outputfile> to view the contents of the OCSP response.

C:\Users\Mark\Downloads>certutil -downloadocsp certificates results downloadonce
CertUtil: -downloadOcsp command completed successfully.

C:\Users\Mark\Downloads>certutil results\70CCF54E82FFB5D4D2DBCCE89C5390FCF6202084.ocsp
OCSP Response:
OCSP_SUCCESSFUL_RESPONSE
1.3.6.1.5.5.7.48.1.1 szOID_PKIX_OCSP_BASIC_SIGNED_RESPONSE
Version: 1
OCSP_BASIC_BY_KEY_RESPONDER_ID
11 b2 c9 97 d4 5a 7c 06 16 bd 60 a5 85 c7 bd 61 8f ee 26 03
Produced At 7/19/16 10:58 AM
OCSP Response Entries: 1

OCSP Response Info[0]:
Hash Algorithm:
Algorithm ObjectId: 1.3.14.3.2.26 sha1 (sha1NoSign)
Algorithm Parameters:
05 00
Issuer Name Hash(sha1): d1b1648b8c9f0dd16ba38acd2b5017d5f9cfc064
Issuer Key Hash(sha1): 5f60cf619055df8443148a602ab2f57af44318ef
Serial Number: 7e499645909b4c62b46fa8c5268d189e
OCSP_BASIC_GOOD_CERT_STATUS
ThisUpdate: 7/19/16 10:58 AM
NextUpdate: 7/26/16 10:58 AM
Extensions: 0

 

A nice attribute of Certutil.exe is that is can be manually picked up and placed onto another machine if you want to. This means you can take the certutil.exe from a Windows 10 machine and copy it to another/older OS and then be able to use this DOWNLOADOCSP argument not present in your OS. There are two rules:

  1. You must make sure the platform architecture is compatible, if you copy Certutil from a 64bit OS, it can only be used on a 64bit OS on another computer
  2. You must also bring along the en-US\certutil.exe.mui file and keep the en-US folder in the same folder as certutil.exe that it belongs to. The en-US folder is %windir%\system32\en-US. You only need the certutil.exe.mui file in that folder.

About Mark B. Cooper aka "The PKI Guy"

President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.