Menu
InformatiWeb Pro
  • Index
  • System admin
  • Virtualization

Login

Registration Password lost ?
FR
  • Windows Server
    • WMS 2012
    • WS2012 R2
    • WS2016
  • Citrix
    • Citrix NetScaler Gateway
    • Citrix XenApp / XenDesktop
    • Citrix XenServer
  • VMware
    • VMware ESXi
    • VMware vSphere
    • VMware Workstation
  • Microsoft
    • Hyper-V
  • RAID
    • Adaptec SmartRAID
  • UPS
    • APC Back-UPS Pro
  • InformatiWeb Pro
  • System admin
  • Windows Server
  • Install and configure an OCSP responder to manage certificate revocation on Windows Server 2016
  • Windows Server
  • AD CS
  • 10 November 2023 at 12:13 UTC
  • InformatiWeb
  • 1/4

Install and configure an OCSP responder to manage certificate revocation on Windows Server 2016

When you deploy a PKI infrastructure, you issue certificates through your own certificate authority and you can revoke some of them before their expiration date if a certificate is no longer used or you think an attacker has been able to access the private key associated with this certificate.
By default, your clients can check the revocation of a certificate by downloading the certificate revocation lists published automatically by your authority.
However, since Windows Server 2008 and Windows Vista, you can use a new protocol called OCSP for checking the revocation of your certificates.

  1. What is OCSP ?
  2. Install an online responder (OCSP server)
  3. Create a custom certificate template for OCSP response signing
  4. Add the online responder (OCSP) path in your certificates
  5. Configuring the online responder (OCSP)
  6. Test access to OCSP address (via Enterprise PKI component)
  7. Regenerate certificate : Certificate Authority Exchange (CAExchange)
  8. Request a new certificate (which will include OCSP support)
  9. Test access to OCSP address (via certutil tool)

1. What is OCSP ?

OCSP (Online Certificate Status Protocol) is a new protocol introduced with Windows Server 2008 and Windows Vista that allows a client to quickly check whether or not a specific certificate has been revoked by your CA.

The main advantage of OCSP is that certificate revocation checking is much faster and requires less network bandwidth.

Indeed, in normal times, when a client wants to check if a certificate has been revoked by your certification authority, he downloads the revocation lists published by it to check if the serial number of the desired certificate is there.
This requires downloading a lot of ".crl" files to verify a single certificate.

When using an online responder (to benefit from OCSP protocol) :

  • the online responder (OCSP) downloads revocation lists from your certification authority at regular intervals.
  • the client sends a query to the online responder (OCSP) to find out if a specific certificate has been revoked.
  • the online responder checks whether the desired certificate has been revoked and returns a signed response to the client indicating whether or not it has been revoked.

2. Install an online responder (OCSP server)

To install an online responder (OCSP server), open the server manager and click on : Add roles and features.

Choose : Role-based or feature-based installation.

In our case, we will install this online responder on the same server as our certificate authority.

Deploy the "Active Directory Certificate Services" node and check the "Online Responder" box.

Launch the installation of the new role service : Online Responder.

Wait while the online responder is installed.

Once the installation of this role service is complete, click on the "Configure Active Directory Certificate Services on the destination server" link that appears.

The AD CS Configuration wizard appears.
Click Next.

Check the "Online Responder" box and click Next.

Click Configure.

The "Configuration successful" status appears.
Click Close.

Click Close.

If you open IIS Manager on the server where you just installed your Online Responder, you will see that a new "ocsp" folder has appeared in the Default Web Site.

To configure your online responder, you will need to open the "Online Responder Management" console.

The "Online Responder Management" console appears.

Next page

Share this tutorial

Partager
Tweet

To see also

  • WS 2012 / 2012 R2 - Create an enterprise root CA

    Windows Server 8/15/2014

    WS 2012 / 2012 R2 - Create an enterprise root CA

  • WS 2016 - AD CS - Install and configure a root CA and a secondary CA

    Windows Server 12/8/2023

    WS 2016 - AD CS - Install and configure a root CA and a secondary CA

  • WS 2016 - AD CS - Install the web interface of a certificate authority (CA)

    Windows Server 10/6/2023

    WS 2016 - AD CS - Install the web interface of a certificate authority (CA)

  • WS 2016 - AD CS - What is a certificate template ?

    Windows Server 9/29/2023

    WS 2016 - AD CS - What is a certificate template ?

Comments

You must be logged in to post a comment

Share your opinion

Pinned content

  • Software (System admin)
  • Linux softwares
  • Our programs
  • Terms and conditions
  • Share your opinion

Contact

  • Guest book
  • Technical support
  • Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.