Install and configure Active Directory Certificate Services

Configuring Online Responder

Configure Online Responder Service

In order for us to start using our Online Responder, we will need to configure the Online Responder service first. This configuration for Windows Server 2016 and 2019. 

Open Certificate Authority management console


Right Click on Certificate Templates and select Manage


The Certificate Template Console should have opened. Under template display name column find OCSP Response Signing. right click on OCSP Response Signing and select properties.


Once your in OCSP Repsonse Signing Properties go to “Security Tab” and add “OCSP Server” computer name in security tab with Read/Enroll permissions.

Note: I like to create a security group and nest the computer accounts inside the security group, then assign permissions to the security group template. Also, since our Online Responder is on the same server as the certificate authority, you should be able to issue the template to CA without having to do this. In production you would install Online Responder role on a separate server from your CA server. I felt it was important we go over this process since this is a best practice approach for configuring Online Responder  in production environments. 


Now open Certificate Authority management console again. Right click on Certificate Templates select new and then Certificate Templates to issue.


Select OCSP Response Signing template and press ok.


Configure AIA Extension to support OCSP

Open Certificate Authority Management Console


Right click on your Certificate Authority server and select properties


Go to Extensions tab. On “Select Extension” Drop down box select “Authority Information Access (AIA)” and click add.


In location box add “http://FQDN/ocsp” and press ok


Select “Include In the online certificate status protocol (OCSP) Extension” and press ok


You will be prompted to restart Active Directory Certificate Services. Press Yes.


Configure Revocation Configuration

Open Online Responder Management


Right Click Revocation Configuration and Select Add Revocation Configuration


Configure Revocation Configuration Name. (Example “Hostname of OCSP Revocation Configuration”)


On Select CA Certificate Location Page and choose Select a certificate for existing enterprise CA


On Choose CA Certificate page choose Browse CA Certificate published in Active Directory and select your CA Server.


On Select Signing Certificate page choose Automatically select signing certificate and enable Auto-Enroll for OCSP Signing certificate.

After you have enabled Auto-Enroll for OCSP Signing certificate, select browse and choose your CA server.  The certificate template field should now auto populate with the OCSP Response Signing template we issued earlier.


On Revocation Provider press provider and verify base CRLs have been selected. (This should be done automatically).


Press finish to complete Revocation Configuration


Leave a Reply