I will be covering the final piece of the AD CS configuration, configuring CA Online Responder. This will include configuring the Certificate Autoenrollment using group policy; adding the Revocation Configuration to the OCSP Responder; and Verify the AD CS setup.
Setup Guide:
1. Configure Certificate Autoenrollment using group policy
– Log onto the domain controller -> click Start ->Administrative Tools -> click Group Policy Management
– Expand the Group Policy Objects in the forest\domain containing the Default Domain Policy Group Policy object (GPO) -> Right-click the Default Domain Policy GPO -> click Edit
– In the Group Policy Management Console (GPMC) -> Expand Computer Configuration, Policies, Windows Settings, Security Settings -> click Public Key Policies
Note: The properties page on the next step might be different from mine since I am doing this on a Windows Server 2008 R2 Domain Controller
– Double-click Certificate Services Client – Auto-Enrollment -> Select Enabled from the drop-down -> Check “Renew expired certificates, update pending certificates, and remove revoked certificates” & “Update certificates that use certificate templates” -> click OK
Note: We need to set the default action that the issuing CA will use when it receives certificate requests
– Return to the issuing CA -> Right-click the issuing CA server name under AD CS -> click Properties -> click Policy Module tab -> click Properties -> select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate -> click OK
2. Add the Revocation Configuration to the OCSP Responder
– Log on to an issuing CA, using a domain account that has local administrative rights -> Launch Server Manager from the Administrative Tools -> Expand Roles\Active Directory Certificate Services\Online Responder and select
Revocation Configuration -> Right-click Revocation Configuration -> click Add Revocation Configuration
– On the Getting started with adding a revocation configuration -> click Next
– On the Name The Revocation Configuration page -> assign a valid name -> Note: Because each revocation configuration is tied to a particular CA, it makes sense to include the CA’s name in the name of the configuration -> click Next
– On the Select CA Certificate Location page -> Identify the location from which the certificate can be loaded-> Choose Select a certificate for an Existing Enterprise CA -> click Next
– On the Choose CA certificate page -> click Browse CA certificates published in Active Directory -> click the Browse button -> The name of the CA server should appear in the Select Certification Authority dialog box -> click OK
– After the certificate is selected, the wizard loads the Online Responder signing templates -> click Next
– On the Select Signing Certificate page -> You must select a signing method because the Online Responder signs each response to clients before it sends it -> Accept the default option “Automatically select a signing certificate” -> select Auto-Enroll for an OCSP signing certificate check box
– Click Browse to open the Select Certification Authority dialog box -> click the CA that issues OCSP Signing certificates -> click OK
– Ensure that the Certificate Template box displays the duplicate OCSP Response Signing template that you created previously -> click Next
– On the Revocation Provider page -> click Provider -> In the Revocation Provider Properties dialog box, verify that all locations in the Base CRLs list are valid -> click OK
– Click Finish to complete the revocation configuration
3. Verify AD CS setup
Note: To ensure that the setup is functioning properly, we need to confirm that we can request certificates, revoke certificates, and make accurate revocation data available from the Online Responder
– The easiest way to verify that the OCSP is functioning is to install the Certificate Authority Web Enrollment role service -> From the client computer, access the URL “http:///certsrv -> Click Request a Certificate
– Click either User Certificate or submit Advanced certificate request -> For the purpose of this test, click Advanced certificate request (click Yes if an ActiveX control prompt pops up)
– On Advanced certificate request page -> click Create and submit a request to this CA (click Yes if an ActiveX control prompt pops up)
– On Advanced certificate request page ->Select the Certificate Template -> Select other options of your choice -> click Submit
– On Certificate Issued page -> click Install this certificate
– Wait for the installation to complete
– Use the MMC Certificate template console to export the newly installed certificate to file (If you can’t let me know and I’ll work you through)
– Open the command prompt as Administrator -> Run the command: certutil -URL c:\cert\certreq.cer
– On URL Retrieval Tool -> Select OCSP (from AIA) -> click Retrieve button
– If the result status field shows “Verified“, then the certificate is valid. Note this is retrieved via OCSP (from AIA)
– Go to the CA server and revoke that certificate
– Right-click the Revoked Certificates in the console tree -> click All Tasks -> click Publish
– On Publish CRL screen -> Select New CRL -> click OK
– Right-click on the root CA, click Properties -> click Extensions tab -> Select CRL Distribution Point (CDP) -> click any CRL distribution points that are listed -> click Remove (Repeat same for all CDP) -> click OK
– Stop and restart AD CS
– Go back to the client computer -> run the command certutil -URL c:\cert\certreq.cer -> Select OCSP (from AIA) -> click Retrieve button -> Ensure that the status this time shows Revoked
Note: If yours doesn’t show revoked, then it appears the revoked certificate have not expired from the cache of the computer.