Sunday, 23 January 2011

How to Setup Server 2008 R2 Online Responder Service - Avoid the Dreaded 0x80092013 with SSTP VPN

In most cases, applications that depend on X.509 certificates, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), and smart cards, are required to validate the status of the certificates used when performing authentication, signing, or encryption operations. The certificate status and revocation checking is the process by which the validity of certificates is verified based on two main categories: time and revocation status.
  • Time. Certificates are issued for a fixed period of time and considered valid as long as the expiration date of the certificate is not reached, unless revoked before that date.
  • Revocation status. Certificates can be revoked before their expiration date because of multiple reasons such as key compromise or suspension. Before performing any operation, applications often validate that the certificate was not revoked.
Revocation can be made by using Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) and is used when we VPN with SSTP.

Step One
Configure Enterprise CA to Support AIA Extension to Support OCSP

To advertise that revocation status information for a particular CA can be obtained via OCSP, the CA must include a pointer to the OCSP Responder in the certificate. This is done by adding an OCSP URI to the AIA extension of the certificate. This is a configuration made on the CA and will be applied to certificates issued by the CA.

1. Open the Certification Authority Snap-in on the CA, as an Enterprise Administrator

2. Right click on the CA name, and select Properties

3. Click on the Extension Tab. From the Select Extension drop down Box, select Authority Information Access (AIA). This is shown below. For Internet clients,  select Add  and enter a public DNS entry e.g

4. Check the Checkbox for Include in the online certificate status protocol (OCSP) extension.

5. Click OK, to close the CA Properties.

Step Two
Configure Enterprise CA with OSCP Signing Template

1. On the Enterprise CA, select Certificate Templates, right click and select Manage. This will open a complete list of the CAs templates in the Certificate Template Console.

2. Locate the OCSP Certificate Template, Right-click, and select Properties

3. On the Security Tab, add the hostname of the soon to be OCSP Server, and give the server Read and Enroll permissions to the template. Click OK.

4. In the Certification Authority management console, Right-click on the Certificates Templates node, and from the context menu, select New and then "Certificate Template to issue.

5. Select the OCSP Response Signing Template, and select OK.

Step Three
Installing and Configuring the OCSP Responder Role

1. To install the OCSP Responder, add the Online Responder role found under Active Directory Certificate Services

2. Open the Online Responder snapin in Administrative Tools

3. Select Revocation Configuration, right click and select Add Revocation Configuration. A wizard will open.

4. Name the configuration with a friendly name

5. Select a certificate for an existing Enterprise CA

6. Select Browse CA certificate published in Active Directory. Click Browse. You should see your CA certificate so select it and click OK.

7. Next you will need to select a certificate that will be used for signing OCSP responses. For a particular Revocation Configuration, the OCSP Signing certificate must be issued by the CA for which the OCSP Responder will answer revocation status requests. Select Automatically select a signing certificate and select the OCSP template you configured in step two above. Click Next.

8. The OCSP responder will obtain its CRL from the CA so you do not have to add any other provider. Finish the wizard.

No comments:

Post a Comment