Microsoft's official enterprise support blog for AD DS and more
Chris here again. As promised I will be covering configuring an OCSP Responder to support Enterprise CA. I will also be covering validating your OCSP Configuration.
The first step is to install the OCSP Responder Role.
To install the OCSP Responder: Open a command prompt and type: servermanagercmd.exe –install ADCS-Online-Cert.
First we will add a Revocation Configuration to the OCSP Responder.
Right click on the Revocation Configuration and select Add Revocation Configuration from the context menu.
The Add Revocation Configuration wizard opens. Click Next to continue.
Give a Friendly Name to the Revocation Configuration, and click Next. It is a good idea to include the name of the CA for which you are setting up this Revocation Configuration, especially if this OCSP Responder will handle requests for multiple CAs.
On the Select CA Certificate page, you will need to select a CA certificate. This is where you determine the CA for which you will be providing revocation information.
Select a certificate for an Existing enterprise CA, and click Next
Select Browse CA certificates published in Active Directory, and click Browse.
Select the appropriate CA, and click OK
Next you will need to select a certificate that will be used for signing OCSP responses. For a particular Revocation Configuration, the OCSP Signing certificate must be issued by the CA for which the OCSP Responder will answer revocation status requests.
Select Automatically select a signing certificate. If you wish to automatically enroll for the OCSP Response Signing Certificate, make sure the Auto-Enroll for an OCSP signing certificate is checked. Select the certificate template that you configured for use with the OCSP Responder, then click Next.
On the Revocation Provider page, you can click Provider to select revocation providers. The Windows Server 2008 OCSP Responder can only use CRLs for revocation information. If you have the CDP Extension available in the signing certificate, the Revocation Providers will be populated from the information in the CDP Extension from the OCSP Response Signing Certificate.
You can add the repository locations for your CRLs and Delta CRLs if appropriate. By default these will be populated from information included in the CDP extension of the Signing certificate. After you have reviewed the configuration or made any changes, click OK.
That completes the initial Configuration of the OCSP Responder. If you would like to modify the configuration of the OCSP Responder, you can right click on the Revocation Configuration and select Properties from the context menu.
The Local CRL tab allows you to configure a Local CRL. You can add revocation information for certificates which you wish to consider revoked. It is recommended that you do not use this option, as it adds unnecessary complexity to the revocation configuration.
The Revocation Provider tab allows you to modify the location of the CRLs and Delta CRLs that will be used for providing revocation information.
In the signing tab you can:
After configuring the OCSP Responder, you will want to verify that the OCSP responder is functioning properly. The easiest way to verify that the OCSP is functioning is to use the Certutil URL Retrieval tool.
First request a certificate from the CA. Place a copy of that cert on the file system, and run the following command: certutil –URL <Certificate Name>. This will open the URL Retrieval Tool
Select OCSP, and click on the Retrieve button.
If the certificate is valid you will get the following response.
If the certificate is revoked, you will get the following response.
And if it fails, the status will be listed as Failed.
You can also use the PKIView tool to verify the configurations of the OCSP Responder.
This concludes configuring an OCSP Responder to support an Enterprise CA. If you follow the steps listed here you now have your OCSP configured to support your Windows Server 2003 or Windows Server 2008 CA. In the next part of this series, I will be configuring an OCSP Responder to support Standalone CA.
Implementing an OCSP responder: Part I Introducing OCSP Implementing an OCSP responder: Part II Preparing Certificate Authorities Implementing an OCSP responder: Part III Configuring OCSP for use with Enterprise CAs Implementing an OCSP responder: Part IV Configuring OCSP for use with Standalone CAs Implementing an OCSP Responder: Part V High AvailabilityImplementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy
- Chris Delay
- Chris Delay
With OCSP are you able to create a revocation configuration for a CA on another network?
Stay tuned, we have another OCSP responder blog that will cover this.
When in get to the testing step in the above link using the certutil -URL command, the OCSP retrieve status returns a FAILED status. The other two options Certs (from AIA) and CRLs (from CDP) for the same certificate return verified when tested.
I'm not sure where to go next, can you point to any troubleshooting for this or what it means I missed?
My setup is an Enterprise Win2008 CA.