I installed the AD, AD CS and OCSP on the same machine in my lab and configured. I then use C# to have a OCSP client so that it can send the revocation check request and parse the response for a particular certificate installed on local machine. The C# code was built by using the Bouncy Castle assembly (http://www.bouncycastle.org/csharp/)
The problem is that, if I issued a certificate and revoked it on AD CS, and published the CRL and Delta CRL, my OCSP client still said this certificate is good, until I clicked the Refresh Revocation Data in AD CS -> OCSP -> Array Configuration.
I had configured the provider of my revocation configuration in OCSP to my local CRL through LDAP://XXXX and
I also specified my revocation provider to refresh the CRLs per 5 mins.
Is there any way I can set my OCSP “real-time”, which means after I revoked a certificate, and then my OCSP client will know that it had been revoked. Alternatively, my OCSP can get the CRL automatically instead of clicking the Refresh Revocation Data manually.
OK I finally got how to make it as real time as possible, even though not that “real time”. The OCSP service have its own cache, and it seems that the revocation status for a certificate will be cached until the CRL expired. In my lab my CRL validity period was 2 days this means even though I revoked a certificate and published the CRL and set the OCSP refresh it every 5 mins, the original status would be in OCSP cache until 2 days later. But if I clicked the Refresh Revocation Data the OCSP will clear all caches and restart the application pool.
The solution is, first I need to enable the NONCE extension in the OCSP service. So that when I sent the OCSP request I can take some random information in the NONCE. And in the OCSP service if it found that the request has ONONCE information it will NOT use any cache. So my revocation data will be refreshed after the 5 mins.