OCSP part 3 – Add read permission to NetWork Service

For the CA to be able to use OCSP, read permission to the private key must be given.

Add Read permissions to Network Service on the private key

Open the Certificate Templates snap-in.

Select the OCSP Response Signing template.

Right-click it and click on properties.

Go to tab security. Click on add.

In the dialog, select from the list of object types computer.

Search for the CA/OCSP computer. Click OK.

Select the newly created entry with the computer name of the OCSP responder and select ALLOW for Read and Enroll permissions.

Finish the task by clicking on OK.

Let the world know

Security validation of SCAs by SUM

Updating a system with SUM is as easy as walking into Mordor. Upgrading a SPS needs you to have a stack XML and when you put SCAs that are signed into a folder, you still have to ensure that SUM can verify the validity of the files. To do so, SUM must be able to have access to the certification revocation list (CRL). This list informs SUM if the certificate used to sign the SCA file is valid or not. Short: if the file can be trusted and therefore be installed or not.

To be able to do so, the CRL file must be downloaded and placed in the same directory as the SCA files. If this is not done before running SUM, you’ll get this screen:

SUM can continue without verifying the files, but that’s some kind of security breach you will commit. Therefore it is better to do as the message text tells you: download the file and place it into the foler. Download the CRL from here: https://tcs.mysap.com/crl/crlbag.p7s. Copy the file to the directory that contains the SCA files


Select repeat and continue.


Now SUM can verify the files and will know when a certificate was revoked and tell you that it is not secure to install that file.

Let the world know