OCSP part 2 – Create a Revocation Configuration

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

After installing OCSP component in Windows, it is time to configure the service: how OCSP requests are going to be handled; from where to receive the CRL, specify OCSP certificate, etc.

  1. Open the Online Responder snap-in.

  2. Click on Revocation Configuration.

  3. The list of available configuration is empty.

  4. Add a new revocation configuration.

  5. The configuration wizard opens.

  6. Give a name for the new configuration.

  7.  Inform the location of the CA. My CA is a Windows Enterprise CA, so its configuration is stored in the AD.

  8. Give the information of the signing certificate. Just leave the default values.
  9. Configure the provider. That is, where OCSP can retrieve the information of revoled certificates.

  10. I am using the AD for obtaining this information.

  11. After this, the necessary information for the provider is given and the wizard can start with performing the actual configuration.

  12. This ends the wizard. Afterwards, the status can be seen in the pane.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

OCSP part 1 – Install an Online Responder

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Installing OCSP Responder Role

You can install the OCSP responder role in Windows Server 2008 R2 either via a command line tool or by using the role wizard.

Command line

Command: servermanagercmd.exe –install ADCS-Online-Cert

Whooops, deprecated 😀

Nevertheless, works. You just have to wait for the installer to finish.

Role wizard

  1. Open the server manager.

  2. Select the roles node and Active Directory Certificate Services.

  3. The Online Responder role should be shown as not installed.

  4. To add the role, click on Add Role Services. Select Online Responder.

    The installation starts.

  5. At the end of the installation, an Installation succeeded message must appear.

  6. In the list of installed roles, Online Responder appears now with status installed.

  7. In IIS, a new web site with name ocsp must appear. This is the URL of the OCSP responder that is needed to be added to certificates by the CA.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn