Udostępnij za pośrednictwem


Configure a CA to Support OCSP Responders

Applies To: Windows Server 2008

To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP) Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder.

Configuring a certification authority (CA) to support OCSP responder services includes the following steps:

  1. Configure certificate templates and issuance properties for OCSP Response Signing certificates.

  2. Configure enrollment permissions for any computers that will be hosting Online Responders.

  3. If this is a Windows Server 2003–based CA, enable the OCSP extension in issued certificates.

  4. Add the location of the Online Responder or OCSP responder to the authority information access extension on the CA.

  5. Enable the OCSP Response Signing certificate template for the CA.

The certificate template used to issue an OCSP Response Signing certificate must contain an extension titled "OCSP No Revocation Checking" and the OCSP Signing application policy. Permissions must also be configured to allow the computer that will host the Online Responder to enroll for this certificate.

The following procedure is for a CA that is installed on a computer running Windows Server 2008.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information about administering a public key infrastructure (PKI), see Implement Role-Based Administration.

To configure the certificate template for an OCSP Response Signing certificate issued by a Windows Server 2008–based CA

  1. Open the Certificate Templates snap-in.

Note

If you are completing this procedure on a computer that does not have a CA or Online Responder installed, you may need to install the Active Directory Certificate Services (AD CS) Remote Server Administration Tools in order to use the Certificate Templates snap-in. For more information about the Remote Server Administration Tools, see Administer an Online Responder from Another Computer.

  1. Right-click the OCSP Response Signing template, and then click Properties.

  2. Click the Security tab. Under Group or user name, click Add.

  3. Click Object Types, select the Computers check box, and then click OK.

  4. Type the name of or browse to select the computer hosting the Online Responder or OCSP responder services, and click OK.

  5. In the Group or user names dialog box, click the computer name, and in the Permissions dialog box, select the Read and Enroll check boxes. Then click OK.

The following procedure is for a CA that is installed on a computer running Windows Server 2003. The procedure must be completed on a computer running Windows Server 2008.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information about administering a PKI, see Implement Role-Based Administration.

To configure the certificate template for an OCSP Response Signing certificate issued by a Windows Server 2003–based CA

  1. Open the Certificate Templates snap-in.

  2. Right-click the OCSP Response Signing template, and then click Duplicate. Click Windows 2003 Server, Enterprise Edition, and then click OK.

  3. Click the Security tab. Under Group or user name, click Add, and then type the name of or browse to select the computer hosting the Online Responder or OCSP responder services.

  4. Click Object Types, select the Computers check box, and then click OK.

  5. Type the name of or browse to select the computer hosting the Online Responder or OCSP responder services, and click OK.

  6. In the Group or user names dialog box, click the computer name, and in the Permissions dialog box, select the Read and Enroll check boxes.

Note

The default OCSP Response Signing certificate template contains an extension titled "OCSP No Revocation Checking." Do not remove this extension, which is used by many clients to verify that responses signed with the signing certificate are valid.

If the CA is installed on a computer running Windows Server 2003, you must complete the following procedure in order to configure the policy module on the CA to issue certificates that include this extension.

You must be a local administrator to complete this procedure. For more information about administering a PKI, see Implement Role-Based Administration.

To prepare a computer running Windows Server 2003 to issue OCSP Response Signing certificates

  1. On the server hosting the CA, open a command prompt, and type:

    certutil -v -setreg policy\EnableRequestExtensionList +1.3.6.1.5.5.7.48.1.5
    
  2. Stop and restart the CA. You can do this at a command prompt by running the following commands:

    net stop certsvc
    net start certsvc
    

To configure your CA for OCSP, you must use the Certification Authority snap-in to complete the following CA configuration steps:

  • Add the location of the Online Responder or OCSP responder to the authority information access extension.

  • Enable the certificate template for the CA.

You must be a CA administrator to complete this procedure. For more information about administering a PKI, see Implement Role-Based Administration.

To configure a CA to support an Online Responder or OCSP responder services

  1. Open the Certification Authority snap-in.

  2. In the console tree, click the name of the CA.

  3. On the Action menu, click Properties.

  4. Click the Extensions tab.

  5. In the Select extension list, click Authority Information Access (AIA),and then click Add.

  6. Specify the locations from which users can obtain certificate revocation data, such as https://computername/ocsp.

  7. Select the Include in the online certificate status protocol (OCSP) extension check box.

  8. In the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue.

  9. In Enable Certificate Templates, select the OCSP Response Signing template and any other certificate templates that you configured previously, and then click OK.

  10. Double-click Certificate Templates, and verify that the modified certificate templates appear in the list.

Additional references