We got our OCSP url basically presented as a VIP on a pair of netscalers, and two issuing CAs sitting under a common root CA.
When an OCSP call comes in the netscaler does its job and load balances between the two, forwards the query and response back - so the actual server that gets queried can vary depending on the source IP (that's the hash I used) for loadbalancing.
Thing is when IssuingCA1 revokes a cert - apparently I need to syncronise the serial numbers to it's buddy (Issuing CA2) in order for the ocsp call be be - if you like - made to make the actual non-issuing CA aware that that cert is actually revoked. This makes sense.
I was kind of attracted to oscp as I dont have to download a bigger and bigger crl cert (I know this is automated on clearpass, awsome product I know), and its instant. Now I am told a schedule task will be run every hour to update the crl, which will pass on the serial numbers to both issuing CAs so they can respond correctly to an ocsp call.
So now I am left with a problem - do I try and match the session timeout with a value that corresponds to the probable length of time the isssuing CAs can work out and agree a cert has been revoked?
I mean, you'll only fail authentication when you re-attempt it right? I mean, presumably session timeout or roaming events will trigger this - but as crazy as it sounds I think most of the users stay put even though they are on wifi.
Anyone considered this? If you have managed to read down this far, thank you! And I'd be interested in your experience and feedback - many thanks.