Windows 7 OCSP malformed request


I couldn't get OCSP revocation check to work on Windows 7. I installed my self-signed Root and Intermediate certificates (generated using openssl 0.9.8) on my Windows 7 machine. I then go to Internet Explorer and type in the The port sends back a leaf certificate which has OCSP URL in the extension. And the leaf cert is revoked. I verified it using openssl ocsp -url http://xxx -issuer Ica.crt -cert leaf.crt -CAfile Root.crt.

In IE, type in It appears that it took some time (15 seconds) and come back with connection instead of revocation warning. Openssl OCSP responder log says "malformed request". If I ping the same from a Windows Vista machine, there is no problem.

Is there a security patch that I need to install or some settings to flip to enable this check? BTW, I do have in IE/Tools/Internet options/Advanced/Security: "check for server certificate revocation" box checked.

-M Plunkett

I am using TORSEC OCSPD responder. Windws 7 client sends only HTTP GET to OCSPD, instead of HTTP GET and HTTP POST (if GET failed) as CryptAPI 2.0 does in a Windows Vista client. So, my problem is why Windows 7 client never switch to HTTP POST when HTTP GET failed.

-M Plunkett

This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.