In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016, Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server.
In part 4 you performed post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enabled object access Auditing and finally, you configured three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. In part 5 you joined the IssuingCA computer to the windowsnoob domain before creating a new CAPolicy.inf file which was customized for the Issuing CA role. Next, you published the Root CA Certificate and CRL (both to Active Directory and the HTTP web server) and you installed the Enterprise Issuing CA before submitting a request to the StandAlone Offline Root CA. Next you installed the Issuing CA Certificate using the response files from the StandAlone Offline Root CA on the removable media.
In part 6, you performed post installation and configuration of the IssuingCA server by configuring Certificate Revocation and CA Certificate Validity Periods, you then enabled auditing on the CA server, and configured the AIA and CDP. In this part you will install and configure the OCSP responder role service on the web server. The use of Online Responders that distribute OCSP responses (1) along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant regardless of the number of revoked certificate. For more information about why having an OCSP is a good thing in your PKI environment read here (2).
Step 1. Install the Online Responder Role Service on the web server
Ensure that you are logged on to webserver.windowsnoob.lab.local as windowsnoob\Administrator. Open Server Manager. Right click on Roles, click Add Roles. On the Before You Begin page, then select Next. On the Select Server Roles page, select Active Directory Certificate Services
and then click Next. If you are prompted to add features, click Add features.
On the Features page, click Next, on the introduction to Active Directory Certificate Services page, click Next.
On the Select Role Services page, clear the Certification Authority option, and then select Online Responder as shown below:
Note: You do not want to install a Certification Authority on the web server, so make sure you clear that checkbox.
if you are prompted to add features required for the online responder, click Add features.
On the confirmation screen, click Install and wait for the installation to complete successfully. When you see it has completed successfully, click close.
Note: You must complete the post-deployment configuration.
Click on the yellow exclamation mark in Server manager to start the post deployment configuration.
On the specify credentials page, ensure you are logged on with a user account that has local administrator permissions before clicking next.
on the Specify role services to configure, select Online Responder and click Next.
On the Confirmation screen click Configure. That's it.
On the configuration succeeded screen, click Close.
Step 2. Add the OCSP URL to the windowsnoob Issuing CA
To add the OCSP URL to the windowsnoob Issuing CA ensure that you are logged on to the IssuingCA server as windowsnoob\EntAdmin.
In the Certification Authority console (certsrv.msc),
in the console tree, right-click windowsnoob Issuing CA, and then click Properties. On the Extensions tab, under Select extension, select Authority Information Access (AIA), and then click Add. In Location, type http://webserver.windowsnoob.lab.local/ocsp and then click OK.
Place a check mark in Include in the online certificate status protocol (OCSP) extension. Do not select the other option.
Click Apply, when prompted by the Certification Authority dialog box to restart Active Directory Certificate Services, click Yes.
Note: The windowsnoob Issuing CA will now include the http://webserver.windowsnoob.lab.local/ocsp URL as part of Authority Information Access (AIA) extension in all newly issued certificates issued or renewed or re-enrolled certificates, however, certificates enrolled from the windowsnoob Issuing CA prior to this change will not have this URL.
Step 3. Configure and Publish the OCSP Response Signing Certificate on the Issuing CA
To configure the OCSP response signing certificate on the windowsnoob Issuing CA server, do as follows. Ensure that you are logged on as windowsnoob\Entadmin. In the Certification Authority console, ensure that the windowsnoob Issuing CA is expanded in the console tree. Right-click on Certificate Templates and then click Manage.
Note: If you do not use the EntAdmin account you'll see the following error: "windows could not create the object identifier list. the specified domain either does not exist or could not be contacted. certificate templates are not available".
The Certificate Templates window should open and display the certificate templates stored in Active Directory.
In the details pane (middle pane), scroll down and right-click on the OCSP Response Signing certificate template and then click Properties. On the Security tab click Add. Click Object Types. In the Object Types dialog box, select Computers and then click OK.In Enter the object names to select, type webserver and then click Check Names. Click OK
Ensure that webserver is selected and in the Allow column, ensure that both the Read and Enroll permissions are selected before clicking Apply.
Close the Certificate Templates MMC console. In the certsrv.msc console, right-click Certificate Templates, then select New and then select Certificate Template to Issue.
In the Enable Certificate Templates dialog box, click OCSP Response Signing and then click OK
Step 4. Configure Revocation Configuration on the Online Responder
Logon to the web server as windowsnoob\administrator. Open Server Manager. In the console tree, click on Tools, expand Active Directory Certificate Services, and then expand Online Responder management.
Right-click Revocation Configuration and then click Add Revocation Configuration.
On the Getting Started with Adding a Revocation Configuration page click Next.
In Name, enter windowsnoob Issuing CA, and then click Next.
On the Select a CA Certificate Location page ensure that Select a certificate for an Existing enterprise CA is selected, then click Next.
On the Choose CA Certificates page, ensure that Browse CA certificates published in Active Directory is selected, and then click Browse.
On the Select Certification Authority dialog box, ensure that the windowsnoob Issuing CA is selected, and then click OK.
Click Next.
Leave the defaults on the Select Signing Certificate page, and then click Next.
On the Revocation Provider page, click Provider. You can review the choices listed for the OCSP Responder in terms of where to download CRLs in the form of LDAP and HTTP locations, do not change the base CRL's.
Clear the Refresh CRLs based on their validity periods check box. In the Update CRLs at this refresh interval (min) box, type 15, and then click OK. Click Finish.
Note: Modifying this setting to download CRLs at a faster rate than the CRLs normal expiration makes it possible for the OCSP responder to rapidly download new CRLs rather than use the last downloaded CRLs normal expiration date. If you are setting up PKI in Production, consult with a PKI expert to determine if you should change the value chosen here.
In the Certification Authority console, expand Array Configuration and then click the webserver.windowsnoob.lab.local computer. Verify that the Revocation Configuration Status in the middle pane is OK to ensure that there is a signing certificate present and that the status reports as OK. It should state:
Type: Microsoft CRL-based revocation status provider
The revocation provider is successfully using the current configuration
Step 5. Configure Group Policy to Provide the OCSP URL for the windowsnoob Issuing CA on DC01
This configuration should only be needed to allow existing certificate holders to take advantage of a new OCSP responder without having to re-enroll new certificates with the required OCSP URL added in them. To do this configuration ensure you are logged on to DC01.windowsnoob.lab.local as windowsnoob\Administrator. Open an administrative command prompt and run the following commands:
Tip: If you get an error from the above command line, you can verify the correct certutil syntax for your lab by simply typing certutil and make note of the Config line as shown below.
Click Start, click Run, and then type gpmc.msc and press enter. Expand Forest, expand Domains, expand windowsnoob.lab.local, and then expand Group Policy Objects. Right click Default Domain Policy, then click Edit. Under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.
Right-click Intermediate Certification Authorities, and then click Import. On the Welcome to Certificate Import Wizard page, click Next.
In File name, type C:\windowsnoobissuingca.cer, and then click Next.
On the Certificate Store page, click Next.
On the Completing the Certificate Import Wizard, click Finish, and then click OK.
You should see "The import was successful".
In the console tree, select Intermediate Certification Authorities. In the details pane, right-click the windowsnoob Issuing CA, then click Properties.
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
This series is comprised of different parts, listed below.
In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016, Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server.
In part 4 you performed post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enabled object access Auditing and finally, you configured three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. In part 5 you joined the IssuingCA computer to the windowsnoob domain before creating a new CAPolicy.inf file which was customized for the Issuing CA role. Next, you published the Root CA Certificate and CRL (both to Active Directory and the HTTP web server) and you installed the Enterprise Issuing CA before submitting a request to the StandAlone Offline Root CA. Next you installed the Issuing CA Certificate using the response files from the StandAlone Offline Root CA on the removable media.
In part 6, you performed post installation and configuration of the IssuingCA server by configuring Certificate Revocation and CA Certificate Validity Periods, you then enabled auditing on the CA server, and configured the AIA and CDP. In this part you will install and configure the OCSP responder role service on the web server. The use of Online Responders that distribute OCSP responses (1) along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant regardless of the number of revoked certificate. For more information about why having an OCSP is a good thing in your PKI environment read here (2).
Step 1. Install the Online Responder Role Service on the web server
Ensure that you are logged on to webserver.windowsnoob.lab.local as windowsnoob\Administrator. Open Server Manager. Right click on Roles, click Add Roles. On the Before You Begin page, then select Next. On the Select Server Roles page, select Active Directory Certificate Services
and then click Next. If you are prompted to add features, click Add features.
On the Features page, click Next, on the introduction to Active Directory Certificate Services page, click Next.
On the Select Role Services page, clear the Certification Authority option, and then select Online Responder as shown below:
Note: You do not want to install a Certification Authority on the web server, so make sure you clear that checkbox.
if you are prompted to add features required for the online responder, click Add features.
On the confirmation screen, click Install and wait for the installation to complete successfully. When you see it has completed successfully, click close.
Note: You must complete the post-deployment configuration.
Click on the yellow exclamation mark in Server manager to start the post deployment configuration.
On the specify credentials page, ensure you are logged on with a user account that has local administrator permissions before clicking next.
on the Specify role services to configure, select Online Responder and click Next.
On the Confirmation screen click Configure. That's it.
On the configuration succeeded screen, click Close.
Step 2. Add the OCSP URL to the windowsnoob Issuing CA
To add the OCSP URL to the windowsnoob Issuing CA ensure that you are logged on to the IssuingCA server as windowsnoob\EntAdmin.
In the Certification Authority console (certsrv.msc),
in the console tree, right-click windowsnoob Issuing CA, and then click Properties. On the Extensions tab, under Select extension, select Authority Information Access (AIA), and then click Add. In Location, type http://webserver.windowsnoob.lab.local/ocsp and then click OK.
Place a check mark in Include in the online certificate status protocol (OCSP) extension. Do not select the other option.
Click Apply, when prompted by the Certification Authority dialog box to restart Active Directory Certificate Services, click Yes.
Note: The windowsnoob Issuing CA will now include the http://webserver.windowsnoob.lab.local/ocsp URL as part of Authority Information Access (AIA) extension in all newly issued certificates issued or renewed or re-enrolled certificates, however, certificates enrolled from the windowsnoob Issuing CA prior to this change will not have this URL.
Step 3. Configure and Publish the OCSP Response Signing Certificate on the Issuing CA
To configure the OCSP response signing certificate on the windowsnoob Issuing CA server, do as follows. Ensure that you are logged on as windowsnoob\Entadmin. In the Certification Authority console, ensure that the windowsnoob Issuing CA is expanded in the console tree. Right-click on Certificate Templates and then click Manage.
Note: If you do not use the EntAdmin account you'll see the following error: "windows could not create the object identifier list. the specified domain either does not exist or could not be contacted. certificate templates are not available".
The Certificate Templates window should open and display the certificate templates stored in Active Directory.
In the details pane (middle pane), scroll down and right-click on the OCSP Response Signing certificate template and then click Properties. On the Security tab click Add. Click Object Types. In the Object Types dialog box, select Computers and then click OK.In Enter the object names to select, type webserver and then click Check Names. Click OK
Ensure that webserver is selected and in the Allow column, ensure that both the Read and Enroll permissions are selected before clicking Apply.
Close the Certificate Templates MMC console. In the certsrv.msc console, right-click Certificate Templates, then select New and then select Certificate Template to Issue.
In the Enable Certificate Templates dialog box, click OCSP Response Signing and then click OK
Step 4. Configure Revocation Configuration on the Online Responder
Logon to the web server as windowsnoob\administrator. Open Server Manager. In the console tree, click on Tools, expand Active Directory Certificate Services, and then expand Online Responder management.
Right-click Revocation Configuration and then click Add Revocation Configuration.
On the Getting Started with Adding a Revocation Configuration page click Next.
In Name, enter windowsnoob Issuing CA, and then click Next.
On the Select a CA Certificate Location page ensure that Select a certificate for an Existing enterprise CA is selected, then click Next.
On the Choose CA Certificates page, ensure that Browse CA certificates published in Active Directory is selected, and then click Browse.
On the Select Certification Authority dialog box, ensure that the windowsnoob Issuing CA is selected, and then click OK.
Click Next.
Leave the defaults on the Select Signing Certificate page, and then click Next.
On the Revocation Provider page, click Provider. You can review the choices listed for the OCSP Responder in terms of where to download CRLs in the form of LDAP and HTTP locations, do not change the base CRL's.
Clear the Refresh CRLs based on their validity periods check box. In the Update CRLs at this refresh interval (min) box, type 15, and then click OK. Click Finish.
Note: Modifying this setting to download CRLs at a faster rate than the CRLs normal expiration makes it possible for the OCSP responder to rapidly download new CRLs rather than use the last downloaded CRLs normal expiration date. If you are setting up PKI in Production, consult with a PKI expert to determine if you should change the value chosen here.
In the Certification Authority console, expand Array Configuration and then click the webserver.windowsnoob.lab.local computer. Verify that the Revocation Configuration Status in the middle pane is OK to ensure that there is a signing certificate present and that the status reports as OK. It should state:
Type: Microsoft CRL-based revocation status provider The revocation provider is successfully using the current configurationStep 5. Configure Group Policy to Provide the OCSP URL for the windowsnoob Issuing CA on DC01
This configuration should only be needed to allow existing certificate holders to take advantage of a new OCSP responder without having to re-enroll new certificates with the required OCSP URL added in them. To do this configuration ensure you are logged on to DC01.windowsnoob.lab.local as windowsnoob\Administrator. Open an administrative command prompt and run the following commands:
cd \press Enter then,
certutil -config "IssuingCA.windowsnoob.lab.local\windows noob Issuing CA" -ca.cert windowsnoobissuingca.certhe output should be something like this
Tip: If you get an error from the above command line, you can verify the correct certutil syntax for your lab by simply typing certutil and make note of the Config line as shown below.
Click Start, click Run, and then type gpmc.msc and press enter. Expand Forest, expand Domains, expand windowsnoob.lab.local, and then expand Group Policy Objects. Right click Default Domain Policy, then click Edit. Under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.
Right-click Intermediate Certification Authorities, and then click Import. On the Welcome to Certificate Import Wizard page, click Next.
In File name, type C:\windowsnoobissuingca.cer, and then click Next.
On the Certificate Store page, click Next.
On the Completing the Certificate Import Wizard, click Finish, and then click OK.
You should see "The import was successful".
In the console tree, select Intermediate Certification Authorities. In the details pane, right-click the windowsnoob Issuing CA, then click Properties.
On the OCSP tab, in the Add URL box enter http://webserver.windowsnoob.lab.local/ocsp, and then click Add URL. Click OK.
You can now close the Group Policy Management Editor and then close the Group Policy Management console.
That's all for this part, please join me in Part 8 where you will Configure AutoEnroll and verify PKI health.
Recommended reading
(1) - OCSP responses https://www.ietf.org/rfc/rfc2560.txt
(2) - Introducing OCSP - https://blogs.technet.microsoft.com/askds/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp/
Share this post
Link to post
Share on other sites