Online Certificate Status Protocol

Online Certificate Status Protocol, or short: OCSP, let you obtain the revocation status of a certificate. It has some benefits over certification revocation lists, mainly that you can let the OCSP server do the heavy work of validating a certificate and the client gets some additional security when accepting the answer. To use OCSP in your landscape, you will have to install and configure an OCSP responder. I did this for my sandbox SMP3 system. Here are the links that contain the information on how to set up your own OCSP responder on your Microsoft CA server.

My walkthrough

Hope you find the links useful.

Additional OCSP information

Here are some more links that I consulted when setting up my OCSP responder. All are from Microsoft and treat information regarding OCSP on a Microsoft server and CA.

About

Implementing OCSP responder part 1 – introducing OCSP

OCSP installation and configuration

Designing and implementing a PKI part 2

Designing and implementing a PKI part 3

Designing and implementing a PKI part 4

Designing and implementing a PKI part 5

Windows Server

Online Responder Installation, Configuration, and Troubleshooting Guide

AD CS: Online Certificate Status Protocol Support

Configure a CA to Support OCSP Responders

OCSP part 6 – Test OCSP service

To test if OCSP is working, you need to have a certificate with OCSP information included. This is only available for certificates emitted AFTER the service was installed, configured and activated on the CA. Therefore, you`ll need to first create a new certificate for your tests. Depending on your CA configuration, you can use OpenSSL to create a request or will have to use the Windows integrated tools. I will show here how to use a CSR created by OpenSSL and a Windows Enterprise CA.

Create CSR with OpenSSL

openssl req –new –newkey rsa:2046 –nodes –keyout dummy.key –out dummy.csr

This creates a key file and the CSR in Base64.

Submit CSR to CA

Certificate snap-in

MSFT Enterprise CA needs the CSR created for a specific template, something that OpenSSL is not offering. If you submit such a request to the CA via MMC, you get an error message.

More information

CA Web Interface

Open the web enrollment server in your browser. Click on Request a certificate.

Go to the advanced options.

Paste the Base64 encoded CSR in the input field. Select as certificate User.

Submit the request and download the generated certificate.

Take a closer look at the certificate. In the AIA section, OCSP must be shown.

Test OCSP service

In the above step, a new user certificate was created, containing OCSP information. To test if OCSP is working, Microsoft is offering the certutil tool.

certutiil –URL dummy.cer

In the Retrieve box, you can select how to certificate information should be retrieved.

Select OCSP.

Check the status

Result: Failed

Result: Unsuccessful

Result: Verified

OCSP part 5 – Further configuration steps

After having OCSP installed, configured and having CA include OCSP information in newly emitted certificates, the basic configuration is done and you are ready to use OCSP in your environment. To make better use of OCSP, some additional configuration steps should be done, like enabling NONCE. Microsoft test client isn`t using NONCE and their test will pass, while OpenSSL uses NONCE and that test will fail. Generally, enabling it ensures you`ll have less problems with a wide range of clients.

Enable NONCE

Edit OCSP configuration properties.

Go to tab Signing and enable NONCE.

Check status

In case you get a signing certificate not available for the array controller, do a refresh of the node.

The status should be empty.

In the CA, an OCSP signing certificate must appear in the list of issued certificates.

OCSP part 4 – Configure CA to support OCSP Responders

After having the OCSP service installed and configured, the CA must be made aware of the service. Only after this, new emitted certificates by the CA will include the OCSP information. This means that you can run a OCSP service without having it included in the client certificates. In that case, clients can be configured to use a static OCSP address to validate the status of the certificate, while other clients won`t be able to do this.

To configure a CA to support an Online Responder or OCSP responder services

  • Open the Certification Authority snap-in.


  • Open the properties of the CA.

  • Open the extensions tab. By default, the CRL distribution point (CDP) list is shown.

  • Change from CDP to Authority Information Access (AIA)

  • Click on Add to add a new location.

  • Specify the locations from which users can obtain certificate revocation data. This is the URL under which the OCSP service is installed.Make sure that the clients can resolve the DNS name and communicate with the service.

    Example: http://<ServerDNSName>/ocsp

  • Select “Include in the online certificate status protocol (OCSP) extension”. This makes the OCSP URL available in the certificate.

    You will have to restart the CA service to make the new configuration effective.

  • Next, you will have to include the OCSP certificate in the list of available certificates of the CA.


  • Open the CA snap-in, select Certificate Templates, right click and choose “New Certificate Template to Issue”


  • Select the OCSP Response Signing certificate.

  • To check that it worked, select the certificate and open its properties.

OCSP part 3 – Add read permission to NetWork Service

For the CA to be able to use OCSP, read permission to the private key must be given.

Add Read permissions to Network Service on the private key

Open the Certificate Templates snap-in.

Select the OCSP Response Signing template.

Right-click it and click on properties.

Go to tab security. Click on add.

In the dialog, select from the list of object types computer.

Search for the CA/OCSP computer. Click OK.

Select the newly created entry with the computer name of the OCSP responder and select ALLOW for Read and Enroll permissions.

Finish the task by clicking on OK.

OCSP part 2 – Create a Revocation Configuration

After installing OCSP component in Windows, it is time to configure the service: how OCSP requests are going to be handled; from where to receive the CRL, specify OCSP certificate, etc.

  1. Open the Online Responder snap-in.

  2. Click on Revocation Configuration.

  3. The list of available configuration is empty.

  4. Add a new revocation configuration.

  5. The configuration wizard opens.

  6. Give a name for the new configuration.

  7.  Inform the location of the CA. My CA is a Windows Enterprise CA, so its configuration is stored in the AD.

  8. Give the information of the signing certificate. Just leave the default values.
  9. Configure the provider. That is, where OCSP can retrieve the information of revoled certificates.

  10. I am using the AD for obtaining this information.

  11. After this, the necessary information for the provider is given and the wizard can start with performing the actual configuration.

  12. This ends the wizard. Afterwards, the status can be seen in the pane.

OCSP part 1 – Install an Online Responder

Installing OCSP Responder Role

You can install the OCSP responder role in Windows Server 2008 R2 either via a command line tool or by using the role wizard.

Command line

Command: servermanagercmd.exe –install ADCS-Online-Cert

Whooops, deprecated 😀

Nevertheless, works. You just have to wait for the installer to finish.

Role wizard

  1. Open the server manager.

  2. Select the roles node and Active Directory Certificate Services.

  3. The Online Responder role should be shown as not installed.

  4. To add the role, click on Add Role Services. Select Online Responder.

    The installation starts.

  5. At the end of the installation, an Installation succeeded message must appear.

  6. In the list of installed roles, Online Responder appears now with status installed.

  7. In IIS, a new web site with name ocsp must appear. This is the URL of the OCSP responder that is needed to be added to certificates by the CA.