- Public Key Infrastructure Part 1 – introduction to encryption and signature
- Public Key Infrastructure Part 2 – main components
- Public Key Infrastructure Part 3 – implement a PKI with Active Directory Certificate Services
- Public Key Infrastructure Part 4 – Configure CRL
- Public Key Infrastructure Part 5 – Registry key, certutil and Active Directory
- Public Key Infrastructure Part 6 – Manage certificate templates
- Public Key Infrastructure Part 7 – Enrollment and Auto-enrollment
- Public Key Infrastructure Part 8 – OCSP responder
- Public Key Infrastructure Part 9 – Management accounts
- Public Key Infrastructure Part 10 – Best practices about PKI
In this part, we will see how to install and configure an OCSP responder. OCSP responder is a web service that indicates to the client the status of the certificate. The response sent by the OCSP responder is digitally signed with its certificate. This TechNet topic explains well how online responders work.
Prepare certificate template for OCSP signing
First of all, it is necessary to prepare a template to enroll OCSP servers for a certificate. So open the certification authority console and right click on certificate Templates. Select Manage.
Next I select the OCSP Response Signing to modify properties of this template.
Open security tab. On my side, I have created a group where members are OCSP servers. This group is called GDL-OCSP. I apply Enroll and Autoenroll permissions to this group.
Next return to certification authority console, and right click on certificate templates. Select New Certificate Template to Issue.
Select the OCSP Response Signing template and click ok.
Sub CA configuration
Now, I configure the AIA extension to add OCSP responder URL. For that, open a certification authority console and right click on CA name. Select properties.
Open extensions tab and select Authority Information (AIA) extension. Add an entry like http://<servername>/ocsp. Don’t forget to tick Include in the online certificate status protocol (OCSP) extension.
Click on apply and restart the Certificate Services.
Install and configure online responder
Online Responder Installation
To install the Online Responder role, open your server manager and select Add Roles and Features.
On Select server roles screen, tick Active Directory Certificate Services check box.
On Select role services, tick only
Online Responder. Add IIS features that are required.
Configure online responder
To configure the online responder, open the server manager and run the Post-Deployment configuration as below.
To configure the online responder you need to be only a local administrator. So use local administrator credential and click on next.
Select Online Responder and click on next.
Before clicking on Configure, make sure that Default Web Site exists in IIS because if not, you will have a beautiful error message.
Once the configuration is done, you should have a success message.
In IIS, OCSP web service is added to default web site.
Make a revocation configuration
Now that online responder is installed and configured, we will configure revocation configuration. For that, open the Online Responder Management console:
Next, right click on Revocation configuration and select Add Revocation Configuration.
On the getting started screen, click on next.
Type a name for your Revocation Configuration. A revocation configuration is associated with a CA. So if you have many CA, you have to create many Revocation Configuration J.
Select the CA certificate that will be associated with this revocation configuration. It is working for Offline Root CA or Enterprise CA. Because I want to associate this Revocation Configuration to my Enterprise sub CA, I select a certificate for an existing enterprise CA.
Next I browse the Active Directory to retrieve the CA certificate.
Next I select to Auto-Enroll for an OCSP signing certificate with the template that I have issued previously.
To finish, configure the revocation provider that is the location where are stored CRL or Delta CRL. The configuration retrieves automatically this information in the CDP extension of the certificate.
Once you have finished setting the Revocation Configuration, you should have a working status as below:
Test the online responder
To test the functioning of my online responder, I have enrolled for a certificate a client. As you can see below, the AIA extension indicates the OCSP URL.
I have exported this certificate to CER file and I run certutil –URL c:\temp\MyCertificate.cer. This command opens the below window. I check the status of this certificate with OCSP.
Now I revoke the certificate and I publish again the CRL.
A retrieve again the status of the certificate from OCSP responder and tada : the certificate is marked as revoked.