Configuring Online Responder
Configure Online Responder Service
In order for us to start using our Online Responder, we will need to configure the Online Responder service first. This configuration for Windows Server 2016 and 2019.
Open Certificate Authority management console
Right Click on Certificate Templates and select Manage
The Certificate Template Console should have opened. Under template display name column find OCSP Response Signing. right click on OCSP Response Signing and select properties.
Once your in OCSP Repsonse Signing Properties go to “Security Tab” and add “OCSP Server” computer name in security tab with Read/Enroll permissions.
Note: I like to create a security group and nest the computer accounts inside the security group, then assign permissions to the security group template. Also, since our Online Responder is on the same server as the certificate authority, you should be able to issue the template to CA without having to do this. In production you would install Online Responder role on a separate server from your CA server. I felt it was important we go over this process since this is a best practice approach for configuring Online Responder in production environments.
Now open Certificate Authority management console again. Right click on Certificate Templates select new and then Certificate Templates to issue.
Select OCSP Response Signing template and press ok.
Configure AIA Extension to support OCSP
Open Certificate Authority Management Console
Right click on your Certificate Authority server and select properties
Go to Extensions tab. On “Select Extension” Drop down box select “Authority Information Access (AIA)” and click add.
In location box add “http://FQDN/ocsp” and press ok
Select “Include In the online certificate status protocol (OCSP) Extension” and press ok
You will be prompted to restart Active Directory Certificate Services. Press Yes.
Configure Revocation Configuration
Open Online Responder Management
Right Click Revocation Configuration and Select Add Revocation Configuration
Configure Revocation Configuration Name. (Example “Hostname of OCSP Revocation Configuration”)
On Select CA Certificate Location Page and choose Select a certificate for existing enterprise CA
On Choose CA Certificate page choose Browse CA Certificate published in Active Directory and select your CA Server.
On Select Signing Certificate page choose Automatically select signing certificate and enable Auto-Enroll for OCSP Signing certificate.
After you have enabled Auto-Enroll for OCSP Signing certificate, select browse and choose your CA server. The certificate template field should now auto populate with the OCSP Response Signing template we issued earlier.
On Revocation Provider press provider and verify base CRLs have been selected. (This should be done automatically).
Press finish to complete Revocation Configuration