OCSP part 6 – Test OCSP service

To test if OCSP is working, you need to have a certificate with OCSP information included. This is only available for certificates emitted AFTER the service was installed, configured and activated on the CA. Therefore, you`ll need to first create a new certificate for your tests. Depending on your CA configuration, you can use OpenSSL to create a request or will have to use the Windows integrated tools. I will show here how to use a CSR created by OpenSSL and a Windows Enterprise CA.

Create CSR with OpenSSL

openssl req –new –newkey rsa:2046 –nodes –keyout dummy.key –out dummy.csr

This creates a key file and the CSR in Base64.

Submit CSR to CA

Certificate snap-in

MSFT Enterprise CA needs the CSR created for a specific template, something that OpenSSL is not offering. If you submit such a request to the CA via MMC, you get an error message.

More information

CA Web Interface

Open the web enrollment server in your browser. Click on Request a certificate.

Go to the advanced options.

Paste the Base64 encoded CSR in the input field. Select as certificate User.

Submit the request and download the generated certificate.

Take a closer look at the certificate. In the AIA section, OCSP must be shown.

Test OCSP service

In the above step, a new user certificate was created, containing OCSP information. To test if OCSP is working, Microsoft is offering the certutil tool.

certutiil –URL dummy.cer

In the Retrieve box, you can select how to certificate information should be retrieved.

Select OCSP.

Check the status

Result: Failed

Result: Unsuccessful

Result: Verified

Let the world know

OCSP part 5 – Further configuration steps

After having OCSP installed, configured and having CA include OCSP information in newly emitted certificates, the basic configuration is done and you are ready to use OCSP in your environment. To make better use of OCSP, some additional configuration steps should be done, like enabling NONCE. Microsoft test client isn`t using NONCE and their test will pass, while OpenSSL uses NONCE and that test will fail. Generally, enabling it ensures you`ll have less problems with a wide range of clients.

Enable NONCE

Edit OCSP configuration properties.

Go to tab Signing and enable NONCE.

Check status

In case you get a signing certificate not available for the array controller, do a refresh of the node.

The status should be empty.

In the CA, an OCSP signing certificate must appear in the list of issued certificates.

Let the world know

OCSP part 4 – Configure CA to support OCSP Responders

After having the OCSP service installed and configured, the CA must be made aware of the service. Only after this, new emitted certificates by the CA will include the OCSP information. This means that you can run a OCSP service without having it included in the client certificates. In that case, clients can be configured to use a static OCSP address to validate the status of the certificate, while other clients won`t be able to do this.

To configure a CA to support an Online Responder or OCSP responder services

  • Open the Certification Authority snap-in.

  • Open the properties of the CA.

  • Open the extensions tab. By default, the CRL distribution point (CDP) list is shown.

  • Change from CDP to Authority Information Access (AIA)

  • Click on Add to add a new location.

  • Specify the locations from which users can obtain certificate revocation data. This is the URL under which the OCSP service is installed.Make sure that the clients can resolve the DNS name and communicate with the service.

    Example: http://<ServerDNSName>/ocsp

  • Select “Include in the online certificate status protocol (OCSP) extension”. This makes the OCSP URL available in the certificate.

    You will have to restart the CA service to make the new configuration effective.

  • Next, you will have to include the OCSP certificate in the list of available certificates of the CA.

  • Open the CA snap-in, select Certificate Templates, right click and choose “New Certificate Template to Issue”

  • Select the OCSP Response Signing certificate.

  • To check that it worked, select the certificate and open its properties.

Let the world know

SAP Inside Track São Leopoldo 2016

Our 4th SIT at São Leopoldo occurred a few days after the SAP internal DKOM event. Therefore we lost some of our momentum, as some participants can only justify going to one event, and for many, DKOM was higher on the priority list. Overall, the event was once more a success, attracting a diverse crowed from local SAP employees, local Porto Alegre market and some even travelling from Sao Paulo and Rio de Janeiro to attend the event.


Official site SAP Community Network
Edition  4th
Date 1.4.2016
Location SAP Labs Latin America – Av. SAP, 188, São Leopoldo, RS
Twitter #sitsl
Sessions 17
Speakers 17
Tracks 3
Participants 84
Tweets 378
Twitter reach 1.672.000

Event Schedule



Twitter sentimento analysis


Net Promoter Score: 74

Overall Session rating: 4.3/5

Overall Event rating: 4.5/5


SAP Press sponsored 1 book and 4 vouchers for ebooks!

We also gave away some gadgets with the help of Karen and Eduardo.

The winners

Let the world know

I will miss the old SAP Note search web app

I will really miss the “old” SAP Notes search available on support.sap.com. Eventually. There are several reasons, like: the new Fiori type replacement looks to be made primarily to be Fiori and not to offer easy usage to its users. Or: it`s slower, first versions contained only a fraction of features (PDF download, direct link, download content), a confusing user interface (first level you have to click on the arrow to navigate, second level you can click on the whole item to navigate, back navigation not really working, filter not working as expected). However, to be honest, I liked that the old app was honest. Honest? Just try it, and search for some (disclaimer: you must 18+, US: 30+ or give a damn about PC to continue reading) swear words, like, well, let`s take the classic: FUCK.

OLD SAP Notes search

NEW SAP Notes search

Yep, the new version returns no search results for the same key word, compared to four SAP Notes in the old version.

Search index?

It seems that this has little to do with a PC filter in place. The new version does not return the content of the SAP Notes (ABAP code); therefore, the key word may not part of the index and a search for it returns no hits. I guess this is going to be implemented soon. Looking at the number of changes released to the new Fiori SAP Notes app, the people responsible are very well aware that features are missing. How much time is left for the old SAP Notes search? The app will be retired 15. August 2016.


In the meantime, you can still search for other linguistic gems left by the developers. If you do so, you`ll notice that the index is sometimes updated and returns some of the SAP Notes listed by the old search. Seems like in the back work is done to ensure that the old and new version return the same results, aka: search index is updated. I am confident that at august 15th the new SAP Notes search will offer the same or better functionality than the old search. Did you expected something else from SAP?


Let the world know

Meetup Rio de Janeiro 2016

Our third event in Rio de Janeiro and the second Meetup in Rio. This event was also located at INFNET. Once again, INFNET sponsored the event by providing the location, and I was able to offer the event once more in the downtown area, close to some of the biggest SAP customers in Rio and close to partner offices. INFNET is also a SAP University Alliance partner, so great initiative from them to help us.


Official site Meetup Rio de Janeiro
Edition 2
Date 13. 4. 2016. 18:00 – 22:00
Location Instituto Infnet. Rua São José, 90, 2º andar, Auditório. Centro – RJ
Twitter #scnrj
Sessions 7
Speakers 5
Tracks 1
Participants 67

Event web site

The event site was hosted on a Raspberry Pi using an OpenUI5 web page with the backend for user registration run on HCP (Java).

Official site Meetup Rio de Janeiro
Page visits 508
Unique visitors 341

55% of the visitors signed up to the event. As expected, almost all access to the site was from Brazil.

Event Schedule


SAP Press sponsored 4 vouchers for ebooks.


Net promoter score: 94

Overall event rating: 4.3/5

Overall session rating: 4.4/5

The only SAP HDE in Brazil was also present at the event.

Let the world know

OCSP part 3 – Add read permission to NetWork Service

For the CA to be able to use OCSP, read permission to the private key must be given.

Add Read permissions to Network Service on the private key

Open the Certificate Templates snap-in.

Select the OCSP Response Signing template.

Right-click it and click on properties.

Go to tab security. Click on add.

In the dialog, select from the list of object types computer.

Search for the CA/OCSP computer. Click OK.

Select the newly created entry with the computer name of the OCSP responder and select ALLOW for Read and Enroll permissions.

Finish the task by clicking on OK.

Let the world know