Install and configure Active Directory Certificate Services

Configuring Online Responder

Configure Online Responder Service

In order for us to start using our Online Responder, we will need to configure the Online Responder service first. This configuration for Windows Server 2016 and 2019. 

Open Certificate Authority management console

image-27

Right Click on Certificate Templates and select Manage

image-29

The Certificate Template Console should have opened. Under template display name column find OCSP Response Signing. right click on OCSP Response Signing and select properties.

image-30

Once your in OCSP Repsonse Signing Properties go to “Security Tab” and add “OCSP Server” computer name in security tab with Read/Enroll permissions.

Note: I like to create a security group and nest the computer accounts inside the security group, then assign permissions to the security group template. Also, since our Online Responder is on the same server as the certificate authority, you should be able to issue the template to CA without having to do this. In production you would install Online Responder role on a separate server from your CA server. I felt it was important we go over this process since this is a best practice approach for configuring Online Responder  in production environments. 

image-42

Now open Certificate Authority management console again. Right click on Certificate Templates select new and then Certificate Templates to issue.

image-43

Select OCSP Response Signing template and press ok.

image-47


Configure AIA Extension to support OCSP

Open Certificate Authority Management Console

image-27

Right click on your Certificate Authority server and select properties

image-48

Go to Extensions tab. On “Select Extension” Drop down box select “Authority Information Access (AIA)” and click add.

image-32

In location box add “http://FQDN/ocsp” and press ok

image-33

Select “Include In the online certificate status protocol (OCSP) Extension” and press ok

image-34

You will be prompted to restart Active Directory Certificate Services. Press Yes.

image-35


Configure Revocation Configuration

Open Online Responder Management

image-36

Right Click Revocation Configuration and Select Add Revocation Configuration

image-37

Configure Revocation Configuration Name. (Example “Hostname of OCSP Revocation Configuration”)

image-38

On Select CA Certificate Location Page and choose Select a certificate for existing enterprise CA

image-39

On Choose CA Certificate page choose Browse CA Certificate published in Active Directory and select your CA Server.

image-40

On Select Signing Certificate page choose Automatically select signing certificate and enable Auto-Enroll for OCSP Signing certificate.

After you have enabled Auto-Enroll for OCSP Signing certificate, select browse and choose your CA server.  The certificate template field should now auto populate with the OCSP Response Signing template we issued earlier.

image-45

On Revocation Provider press provider and verify base CRLs have been selected. (This should be done automatically).

image-44

Press finish to complete Revocation Configuration

References

https://blogs.technet.microsoft.com/askds/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp/

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority

https://social.technet.microsoft.com/wiki/contents/articles/1137.active-directory-certificate-services-ad-cs-introduction.aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s