Install and configure CA Online Responder – AD CS Part2

For Certificate Authority to support the Online Responder service, we need to add the location of the Online Responder to the authority information access extension of issued certificates and enable the certificate templates.

Requirement: IIS service is required. You will be prompted to install IIS during setup.

Setup Guide:

1. Install Online Response Service

– Click Start -> Administrative Tools -> click Server Manager

– Expand Roles -> right-click Active Directory Certificate Services -> click Add role services

– On the Select Role Services page -> select the Online Responder check box -> You are prompted to install IIS and Windows Activation Service -> click Add Required Role Services -> click Next

– Click Next on Web Server IIS -> On Select Role Services -> click Next

– On the Confirm Installation Selections page -> click Install

– When the installation is complete -> Review the status page to verify that the installation was successful -> click Close

Note: During the setup process, a virtual directory named OCSP is created in IIS, and the ISAPI extension used as the Web proxy is registered. You can manually register or un-register the Web proxy by using either of the following commands:

certutil -vocsproot

certutil -vocsproot delete

2. Configure Certificate Template

– Open Server Manager -> Expand Roles, Active Directory Certificate Services -> click Certificate Templates

– Right-click the OCSP Response Signing template -> click Duplicate Template

– Select OS you want the certificate to support -> click Ok

– Enter a new name for the duplicated template

– Click the Security tab -> click Add to open the Select Users, Computers, Service Accounts, or Groups dialog box -> click Object Types -> Select the Computers check box -> click OK

– Enter the name of the computer hosting the Online Responder service -> click OK -> Select the computer name -> In Permissions box, select the Read, Enroll, and Autoenroll check boxes -> click OK

 3. Configure CA to support Online Response service

Note: The CA must be configured to include the Online Responder’s URL as part of the authority information access extension of issued certificates. This URL is used by the OCSP client to validate the certificate status.

– Open Server Manager -> Expand Roles, Active Directory Certificate Services -> Right-click the name of your CA -> click Properties

– Click the Extensions tab -> In the Select extension list, click Authority Information Access (AIA)

– Click Add -> In the Location box, type http:///ocsp (Note:  ServerDNSName is the hostname of the Online Responder server) -> click OK

– While clicking the new location entered -> Select the ‘Include in the online certificate status protocol (OCSP) extension’ check box -> click OK -> then click Yes to restart AD CS

– After restart -> Expand the CA name -> Right-click Certificate Templates -> click New, Certificate Templates to Issue

– In the Enable Certificate Templates dialog box -> Select the duplicate OCSP Response Signing template we earlier created -> click OK

– In the Certificate Templates console -> Verify that the duplicate certificate template appear in the list

Next: In the next post, I will cover the following: Configure Certificate Autoenrollment using group policy; add the Revocation Configuration to the OCSP Responder; and Verify the AD CS setup – Click Here

comments powered by Disqus