Public Key Infrastructure Part 8 – OCSP responder

In this part, we will see how to install and configure an OCSP responder. OCSP responder is a web service that indicates to the client the status of the certificate. The response sent by the OCSP responder is digitally signed with its certificate. This TechNet topic explains well how online responders work.

Prepare certificate template for OCSP signing

First of all, it is necessary to prepare a template to enroll OCSP servers for a certificate. So open the certification authority console and right click on certificate Templates. Select Manage.

Next I select the OCSP Response Signing to modify properties of this template.

Open security tab. On my side, I have created a group where members are OCSP servers. This group is called GDL-OCSP. I apply Enroll and Autoenroll permissions to this group.

Next return to certification authority console, and right click on certificate templates. Select New Certificate Template to Issue.

Select the OCSP Response Signing template and click ok.

Sub CA configuration

Now, I configure the AIA extension to add OCSP responder URL. For that, open a certification authority console and right click on CA name. Select properties.

Open extensions tab and select Authority Information (AIA) extension. Add an entry like https://<servername>/ocsp. Don’t forget to tick Include in the online certificate status protocol (OCSP) extension.

Click on apply and restart the Certificate Services.

Install and configure online responder

Online Responder Installation

To install the Online Responder role, open your server manager and select Add Roles and Features.

On Select server roles screen, tick Active Directory Certificate Services check box.

On Select role services, tick only
Online Responder. Add IIS features that are required.

Configure online responder

To configure the online responder, open the server manager and run the Post-Deployment configuration as below.

To configure the online responder you need to be only a local administrator. So use local administrator credential and click on next.

Select Online Responder and click on next.

Before clicking on Configure, make sure that Default Web Site exists in IIS because if not, you will have a beautiful error message.

Once the configuration is done, you should have a success message.

In IIS, OCSP web service is added to default web site.

Make a revocation configuration

Now that online responder is installed and configured, we will configure revocation configuration. For that, open the Online Responder Management console:

Next, right click on Revocation configuration and select Add Revocation Configuration.

On the getting started screen, click on next.

Type a name for your Revocation Configuration. A revocation configuration is associated with a CA. So if you have many CA, you have to create many Revocation Configuration J.

Select the CA certificate that will be associated with this revocation configuration. It is working for Offline Root CA or Enterprise CA. Because I want to associate this Revocation Configuration to my Enterprise sub CA, I select a certificate for an existing enterprise CA.

Next I browse the Active Directory to retrieve the CA certificate.

Next I select to Auto-Enroll for an OCSP signing certificate with the template that I have issued previously.

To finish, configure the revocation provider that is the location where are stored CRL or Delta CRL. The configuration retrieves automatically this information in the CDP extension of the certificate.

Once you have finished setting the Revocation Configuration, you should have a working status as below:

Test the online responder

To test the functioning of my online responder, I have enrolled for a certificate a client. As you can see below, the AIA extension indicates the OCSP URL.

I have exported this certificate to CER file and I run certutil –URL c:\temp\MyCertificate.cer. This command opens the below window. I check the status of this certificate with OCSP.

Now I revoke the certificate and I publish again the CRL.

A retrieve again the status of the certificate from OCSP responder and tada : the certificate is marked as revoked.

About Romain Serre

Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).

6 comments

  1. Thank you very much Romain for your excellent articles, I have followed them and am able to test out the OCSP capability in Windows. Thank you very much…. FYI, for what it’s worth, with my background in Unix and others, I am really starting to get to know Windows and I really find your articles are very easy to follow. I have now been able to test the OCSP capability! One thing I am still struggling at the moment is really to do with the revocation period. I would revoke a certificate and then using various methods (certutil -crl, change the Revocation Configuration time, republishing Revocation folder in Certification Authority tool etc.) to refresh the ‘cache’, yet I would only be able to obtain the ‘Revoked’ status by restarting the server that host the Intermediate Certificate and the OCSP Responder…. BTW, I have tried out the certutil -urlfetch -verify certfile.cer and that would return me a status of Revoked. But if I use certutil -url certfile.cer or openssl then the status of the revoked certificate would remain ‘Verified’/’Good’ until I reboot the server that hosts the certification authority and the OCSP Responder…. Is there something that I have missed?

    • Hi Long,

      Many thanks for your comment ! I appreciate.

      Regarding your issue, when you revoke a certificate, you have to republish the CRL into your CRL Distribution Point. For example, if you revoke the certificate of your sub CA you have to republish the ROOT CA CRL. Only the CRL gives the information about revoked certificate to clients.

      So you can try to create a certificate and test it with certutil -url. Next revoke this certificate and publish the CRL into CDP. Run again a certutil -url and the certificate should be revoked.

      Have a nice weekend

    • I have encountered the same problem as Long

  2. Sir Can you fix the links to pki posts 1, 2 and 7? Receive the following, “Error establishing a database connection” Excellent pki posts and very helpful.

  3. This is very thorough article.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

x

Check Also

Public Key Infrastructure Part 6 – Manage certificate templates

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...

Public Key Infrastructure Part 5 – Registry key, certutil and Active Directory

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...

Public Key Infrastructure Part 4 – Configure Certificate Revocation List

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...