When you deploy a PKI infrastructure, you issue certificates through your own certificate authority and you can revoke some of them before their expiration date if a certificate is no longer used or you think an attacker has been able to access the private key associated with this certificate.
By default, your clients can check the revocation of a certificate by downloading the certificate revocation lists published automatically by your authority.
However, since Windows Server 2008 and Windows Vista, you can use a new protocol called OCSP for checking the revocation of your certificates.
OCSP (Online Certificate Status Protocol) is a new protocol introduced with Windows Server 2008 and Windows Vista that allows a client to quickly check whether or not a specific certificate has been revoked by your CA.
The main advantage of OCSP is that certificate revocation checking is much faster and requires less network bandwidth.
Indeed, in normal times, when a client wants to check if a certificate has been revoked by your certification authority, he downloads the revocation lists published by it to check if the serial number of the desired certificate is there.
This requires downloading a lot of ".crl" files to verify a single certificate.
When using an online responder (to benefit from OCSP protocol) :
To install an online responder (OCSP server), open the server manager and click on : Add roles and features.
Choose : Role-based or feature-based installation.
In our case, we will install this online responder on the same server as our certificate authority.
Deploy the "Active Directory Certificate Services" node and check the "Online Responder" box.
Launch the installation of the new role service : Online Responder.
Wait while the online responder is installed.
Once the installation of this role service is complete, click on the "Configure Active Directory Certificate Services on the destination server" link that appears.
The AD CS Configuration wizard appears.
Click Next.
Check the "Online Responder" box and click Next.
Click Configure.
The "Configuration successful" status appears.
Click Close.
Click Close.
If you open IIS Manager on the server where you just installed your Online Responder, you will see that a new "ocsp" folder has appeared in the Default Web Site.
To configure your online responder, you will need to open the "Online Responder Management" console.
The "Online Responder Management" console appears.
Articles 9/8/2023
Windows Server 12/22/2023
Windows Server 11/3/2023
Windows Server 10/6/2023
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment