In most cases, applications that depend on X.509 certificates, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), and smart cards, are required to validate the status of the certificates used when performing authentication, signing, or encryption operations. The certificate status and revocation checking is the process by which the validity of certificates is verified based on two main categories: time and revocation status.
Step One
Configure Enterprise CA to Support AIA Extension to Support OCSP
To advertise that revocation status information for a particular CA can be obtained via OCSP, the CA must include a pointer to the OCSP Responder in the certificate. This is done by adding an OCSP URI to the AIA extension of the certificate. This is a configuration made on the CA and will be applied to certificates issued by the CA.
1. Open the Certification Authority Snap-in on the CA, as an Enterprise Administrator
2. Right click on the CA name, and select Properties
3. Click on the Extension Tab. From the Select Extension drop down Box, select Authority Information Access (AIA). This is shown below. For Internet clients, select Add and enter a public DNS entry e.g http://www.compulinxtraining.com/ocsp
4. Check the Checkbox for Include in the online certificate status protocol (OCSP) extension.
5. Click OK, to close the CA Properties.
Step Two
Configure Enterprise CA with OSCP Signing Template
1. On the Enterprise CA, select Certificate Templates, right click and select Manage. This will open a complete list of the CAs templates in the Certificate Template Console.
2. Locate the OCSP Certificate Template, Right-click, and select Properties
3. On the Security Tab, add the hostname of the soon to be OCSP Server, and give the server Read and Enroll permissions to the template. Click OK.
4. In the Certification Authority management console, Right-click on the Certificates Templates node, and from the context menu, select New and then "Certificate Template to issue.
5. Select the OCSP Response Signing Template, and select OK.
Step Three
Installing and Configuring the OCSP Responder Role
1. To install the OCSP Responder, add the Online Responder role found under Active Directory Certificate Services
2. Open the Online Responder snapin in Administrative Tools
3. Select Revocation Configuration, right click and select Add Revocation Configuration. A wizard will open.
4. Name the configuration with a friendly name
5. Select a certificate for an existing Enterprise CA
6. Select Browse CA certificate published in Active Directory. Click Browse. You should see your CA certificate so select it and click OK.
7. Next you will need to select a certificate that will be used for signing OCSP responses. For a particular Revocation Configuration, the OCSP Signing certificate must be issued by the CA for which the OCSP Responder will answer revocation status requests. Select Automatically select a signing certificate and select the OCSP template you configured in step two above. Click Next.
8. The OCSP responder will obtain its CRL from the CA so you do not have to add any other provider. Finish the wizard.
- Time. Certificates are issued for a fixed period of time and considered valid as long as the expiration date of the certificate is not reached, unless revoked before that date.
- Revocation status. Certificates can be revoked before their expiration date because of multiple reasons such as key compromise or suspension. Before performing any operation, applications often validate that the certificate was not revoked.
Step One
Configure Enterprise CA to Support AIA Extension to Support OCSP
To advertise that revocation status information for a particular CA can be obtained via OCSP, the CA must include a pointer to the OCSP Responder in the certificate. This is done by adding an OCSP URI to the AIA extension of the certificate. This is a configuration made on the CA and will be applied to certificates issued by the CA.
1. Open the Certification Authority Snap-in on the CA, as an Enterprise Administrator
2. Right click on the CA name, and select Properties
3. Click on the Extension Tab. From the Select Extension drop down Box, select Authority Information Access (AIA). This is shown below. For Internet clients, select Add and enter a public DNS entry e.g http://www.compulinxtraining.com/ocsp
4. Check the Checkbox for Include in the online certificate status protocol (OCSP) extension.
5. Click OK, to close the CA Properties.
Step Two
Configure Enterprise CA with OSCP Signing Template
1. On the Enterprise CA, select Certificate Templates, right click and select Manage. This will open a complete list of the CAs templates in the Certificate Template Console.
2. Locate the OCSP Certificate Template, Right-click, and select Properties
3. On the Security Tab, add the hostname of the soon to be OCSP Server, and give the server Read and Enroll permissions to the template. Click OK.
4. In the Certification Authority management console, Right-click on the Certificates Templates node, and from the context menu, select New and then "Certificate Template to issue.
5. Select the OCSP Response Signing Template, and select OK.
Step Three
Installing and Configuring the OCSP Responder Role
1. To install the OCSP Responder, add the Online Responder role found under Active Directory Certificate Services
2. Open the Online Responder snapin in Administrative Tools
3. Select Revocation Configuration, right click and select Add Revocation Configuration. A wizard will open.
4. Name the configuration with a friendly name
5. Select a certificate for an existing Enterprise CA
6. Select Browse CA certificate published in Active Directory. Click Browse. You should see your CA certificate so select it and click OK.
7. Next you will need to select a certificate that will be used for signing OCSP responses. For a particular Revocation Configuration, the OCSP Signing certificate must be issued by the CA for which the OCSP Responder will answer revocation status requests. Select Automatically select a signing certificate and select the OCSP template you configured in step two above. Click Next.
8. The OCSP responder will obtain its CRL from the CA so you do not have to add any other provider. Finish the wizard.
No comments:
Post a Comment