Online Certificate Status Protocol, or short: OCSP, let you obtain the revocation status of a certificate. It has some benefits over certification revocation lists, mainly that you can let the OCSP server do the heavy work of validating a certificate and the client gets some additional security when accepting the answer. To use OCSP in your landscape, you will have to install and configure an OCSP responder. I did this for my sandbox SMP3 system. Here are the links that contain the information on how to set up your own OCSP responder on your Microsoft CA server.
To test if OCSP is working, you need to have a certificate with OCSP information included. This is only available for certificates emitted AFTER the service was installed, configured and activated on the CA. Therefore, you`ll need to first create a new certificate for your tests. Depending on your CA configuration, you can use OpenSSL to create a request or will have to use the Windows integrated tools. I will show here how to use a CSR created by OpenSSL and a Windows Enterprise CA.
After having OCSP installed, configured and having CA include OCSP information in newly emitted certificates, the basic configuration is done and you are ready to use OCSP in your environment. To make better use of OCSP, some additional configuration steps should be done, like enabling NONCE. Microsoft test client isn`t using NONCE and their test will pass, while OpenSSL uses NONCE and that test will fail. Generally, enabling it ensures you`ll have less problems with a wide range of clients.
Edit OCSP configuration properties.
Go to tab Signing and enable NONCE.
In case you get a signing certificate not available for the array controller, do a refresh of the node.
The status should be empty.
In the CA, an OCSP signing certificate must appear in the list of issued certificates.
After having the OCSP service installed and configured, the CA must be made aware of the service. Only after this, new emitted certificates by the CA will include the OCSP information. This means that you can run a OCSP service without having it included in the client certificates. In that case, clients can be configured to use a static OCSP address to validate the status of the certificate, while other clients won`t be able to do this.
To configure a CA to support an Online Responder or OCSP responder services
Open the Certification Authority snap-in.
Open the properties of the CA.
Open the extensions tab. By default, the CRL distribution point (CDP) list is shown.
Change from CDP to Authority Information Access (AIA)
Click on Add to add a new location.
Specify the locations from which users can obtain certificate revocation data. This is the URL under which the OCSP service is installed.Make sure that the clients can resolve the DNS name and communicate with the service.
Select “Include in the online certificate status protocol (OCSP) extension”. This makes the OCSP URL available in the certificate.
You will have to restart the CA service to make the new configuration effective.
Next, you will have to include the OCSP certificate in the list of available certificates of the CA.
Open the CA snap-in, select Certificate Templates, right click and choose “New Certificate Template to Issue”
Select the OCSP Response Signing certificate.
To check that it worked, select the certificate and open its properties.