- Public Key Infrastructure Part 1 – introduction to encryption and signature
- Public Key Infrastructure Part 2 – main components
- Public Key Infrastructure Part 3 – implement a PKI with Active Directory Certificate Services
- Public Key Infrastructure Part 4 – Configure CRL
- Public Key Infrastructure Part 5 – Registry key, certutil and Active Directory
- Public Key Infrastructure Part 6 – Manage certificate templates
- Public Key Infrastructure Part 7 – Enrollment and Auto-enrollment
- Public Key Infrastructure Part 8 – OCSP responder
- Public Key Infrastructure Part 9 – Management accounts
- Public Key Infrastructure Part 10 – Best practices about PKI
In this part, we will see how to install and configure an OCSP responder. OCSP responder is a web service that indicates to the client the status of the certificate. The response sent by the OCSP responder is digitally signed with its certificate. This TechNet topic explains well how online responders work.
Prepare certificate template for OCSP signing
First of all, it is necessary to prepare a template to enroll OCSP servers for a certificate. So open the certification authority console and right click on certificate Templates. Select Manage.
Next I select the OCSP Response Signing to modify properties of this template.
Open security tab. On my side, I have created a group where members are OCSP servers. This group is called GDL-OCSP. I apply Enroll and Autoenroll permissions to this group.
Next return to certification authority console, and right click on certificate templates. Select New Certificate Template to Issue.
Select the OCSP Response Signing template and click ok.
Sub CA configuration
Now, I configure the AIA extension to add OCSP responder URL. For that, open a certification authority console and right click on CA name. Select properties.
Open extensions tab and select Authority Information (AIA) extension. Add an entry like https://<servername>/ocsp. Don’t forget to tick Include in the online certificate status protocol (OCSP) extension.
Click on apply and restart the Certificate Services.
Install and configure online responder
Online Responder Installation
To install the Online Responder role, open your server manager and select Add Roles and Features.
On Select server roles screen, tick Active Directory Certificate Services check box.
On Select role services, tick only
Online Responder. Add IIS features that are required.
Configure online responder
To configure the online responder, open the server manager and run the Post-Deployment configuration as below.
To configure the online responder you need to be only a local administrator. So use local administrator credential and click on next.
Select Online Responder and click on next.
Before clicking on Configure, make sure that Default Web Site exists in IIS because if not, you will have a beautiful error message.
Once the configuration is done, you should have a success message.
In IIS, OCSP web service is added to default web site.
Make a revocation configuration
Now that online responder is installed and configured, we will configure revocation configuration. For that, open the Online Responder Management console:
Next, right click on Revocation configuration and select Add Revocation Configuration.
On the getting started screen, click on next.
Type a name for your Revocation Configuration. A revocation configuration is associated with a CA. So if you have many CA, you have to create many Revocation Configuration J.
Select the CA certificate that will be associated with this revocation configuration. It is working for Offline Root CA or Enterprise CA. Because I want to associate this Revocation Configuration to my Enterprise sub CA, I select a certificate for an existing enterprise CA.
Next I browse the Active Directory to retrieve the CA certificate.
Next I select to Auto-Enroll for an OCSP signing certificate with the template that I have issued previously.
To finish, configure the revocation provider that is the location where are stored CRL or Delta CRL. The configuration retrieves automatically this information in the CDP extension of the certificate.
Once you have finished setting the Revocation Configuration, you should have a working status as below:
Test the online responder
To test the functioning of my online responder, I have enrolled for a certificate a client. As you can see below, the AIA extension indicates the OCSP URL.
I have exported this certificate to CER file and I run certutil –URL c:\temp\MyCertificate.cer. This command opens the below window. I check the status of this certificate with OCSP.
Now I revoke the certificate and I publish again the CRL.
A retrieve again the status of the certificate from OCSP responder and tada : the certificate is marked as revoked.
Thank you very much Romain for your excellent articles, I have followed them and am able to test out the OCSP capability in Windows. Thank you very much…. FYI, for what it’s worth, with my background in Unix and others, I am really starting to get to know Windows and I really find your articles are very easy to follow. I have now been able to test the OCSP capability! One thing I am still struggling at the moment is really to do with the revocation period. I would revoke a certificate and then using various methods (certutil -crl, change the Revocation Configuration time, republishing Revocation folder in Certification Authority tool etc.) to refresh the ‘cache’, yet I would only be able to obtain the ‘Revoked’ status by restarting the server that host the Intermediate Certificate and the OCSP Responder…. BTW, I have tried out the certutil -urlfetch -verify certfile.cer and that would return me a status of Revoked. But if I use certutil -url certfile.cer or openssl then the status of the revoked certificate would remain ‘Verified’/’Good’ until I reboot the server that hosts the certification authority and the OCSP Responder…. Is there something that I have missed?
Hi Long,
Many thanks for your comment ! I appreciate.
Regarding your issue, when you revoke a certificate, you have to republish the CRL into your CRL Distribution Point. For example, if you revoke the certificate of your sub CA you have to republish the ROOT CA CRL. Only the CRL gives the information about revoked certificate to clients.
So you can try to create a certificate and test it with certutil -url. Next revoke this certificate and publish the CRL into CDP. Run again a certutil -url and the certificate should be revoked.
Have a nice weekend
I have encountered the same problem as Long
Sir Can you fix the links to pki posts 1, 2 and 7? Receive the following, “Error establishing a database connection” Excellent pki posts and very helpful.
Hi Martin,
I’ve tried links and they’re working. Mayble a little outage on the blog yesterday…
This is very thorough article.