Install and configure CA Online Responder – AD CS Part3

I will be covering the final piece of the AD CS configuration, configuring CA Online Responder. This will include configuring the Certificate Autoenrollment using group policy; adding the Revocation Configuration to the OCSP Responder; and Verify the AD CS setup.

Setup Guide:

1. Configure Certificate Autoenrollment using group policy

– Log onto the domain controller -> click Start ->Administrative Tools -> click Group Policy Management

– Expand the Group Policy Objects in the forest\domain containing the Default Domain Policy Group Policy object (GPO) -> Right-click the Default Domain Policy GPO -> click Edit

– In the Group Policy Management Console (GPMC) -> Expand Computer Configuration, Policies, Windows Settings, Security Settings -> click Public Key Policies

Note: The properties page on the next step might be different from mine since I am doing this on a Windows Server 2008 R2 Domain Controller

– Double-click Certificate Services Client – Auto-Enrollment -> Select Enabled from the drop-down -> Check “Renew expired certificates, update pending certificates, and remove revoked certificates” & “Update certificates that use certificate templates” -> click OK

Note: We need to set the default action that the issuing CA will use when it receives certificate requests

– Return to the issuing CA ->  Right-click the issuing CA server name under AD CS -> click Properties -> click Policy Module tab -> click Properties -> select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate -> click OK

2. Add the Revocation Configuration to the OCSP Responder

– Log on to an issuing CA, using a domain account that has local administrative rights -> Launch Server Manager from the Administrative Tools -> Expand Roles\Active Directory Certificate Services\Online Responder and select

Revocation Configuration -> Right-click Revocation Configuration -> click Add Revocation Configuration

– On the Getting started with adding a revocation configuration -> click Next

– On the Name The Revocation Configuration page -> assign a valid name -> Note: Because each revocation configuration is tied to a particular CA, it makes sense to include the CA’s name in the name of the configuration -> click Next

– On the Select CA Certificate Location page -> Identify the location from which the certificate can be loaded-> Choose Select a certificate for an Existing Enterprise CA -> click Next

– On the Choose CA certificate page -> click Browse CA certificates published in Active Directory -> click the Browse button -> The name of the CA server should appear in the Select Certification Authority dialog box -> click OK

– After the certificate is selected, the wizard loads the Online Responder signing templates -> click Next

– On the Select Signing Certificate page -> You must select a signing method because the Online Responder signs each response to clients before it sends it -> Accept the default option “Automatically select a signing certificate” -> select Auto-Enroll for an OCSP signing certificate check box

– Click Browse to open the Select Certification Authority dialog box -> click the CA that issues OCSP Signing certificates -> click OK

– Ensure that the Certificate Template box displays the duplicate OCSP Response Signing template that you created previously -> click Next

– On the Revocation Provider page -> click Provider -> In the Revocation Provider Properties dialog box, verify that all locations in the Base CRLs list are valid -> click OK

– Click Finish to complete the revocation configuration

3. Verify AD CS setup

Note: To ensure that the setup is functioning properly, we need to confirm that we can request certificates, revoke certificates, and make accurate revocation data available from the Online Responder

– The easiest way to verify that the OCSP is functioning is to install the Certificate Authority Web Enrollment role service -> From the client computer, access the URL “http:///certsrv -> Click Request a Certificate

– Click either User Certificate or submit Advanced certificate request -> For the purpose of this test, click Advanced certificate request (click Yes if an ActiveX control prompt pops up)

– On Advanced certificate request page -> click Create and submit a request to this CA (click Yes if an ActiveX control prompt pops up)

– On Advanced certificate request page ->Select the Certificate Template -> Select other options of your choice -> click Submit

– On Certificate Issued page -> click Install this certificate

– Wait for the installation to complete

– Use the MMC Certificate template console to export the newly installed certificate to file (If you can’t let me know and I’ll work you through)

– Open the command prompt as Administrator -> Run the command: certutil -URL c:\cert\certreq.cer

– On URL Retrieval Tool -> Select OCSP (from AIA) -> click Retrieve button

– If the result status field shows “Verified“, then the certificate is valid. Note this is retrieved via OCSP (from AIA)

– Go to the CA server and revoke that certificate

– Right-click the Revoked Certificates in the console tree -> click All Tasks -> click Publish

– On Publish CRL screen -> Select New CRL -> click OK

– Right-click on the root CA, click Properties -> click Extensions tab -> Select CRL Distribution Point (CDP) -> click any CRL distribution points that are listed -> click Remove (Repeat same for all CDP) -> click OK

– Stop and restart AD CS

– Go back to the client computer -> run the command certutil -URL c:\cert\certreq.cer -> Select OCSP (from AIA) -> click Retrieve button -> Ensure that the status this time shows Revoked

Note: If yours doesn’t show revoked, then it appears the revoked certificate have not expired from the cache of the computer.

comments powered by Disqus