Disclaimer: this article contains information about modifying the IIS configuration files. Before you modify the IIS configuration file, make sure to back it up and make sure that you understand how to restore the file if a problem occurs.
This article contains information about unsupported operations. Before you modify any settings described below, make sure to backup your system and make sure that you understand how to restore the system if a problem occurs
A little abstract. The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. Why it has been developed? Prior to OCSP, clients checks certificate status (valid/revoked) using certificate revocation lists (CRLs). Client software downloads certificate issuer CRL file and examines its Revocation List property. If particular certificate serial number is present in CRL, certificate is considered as revoked or invalid and is rejected for usage. While CRLs may contain many revoked certificates, CRL size is grown. Typically empty CRL with default settings is about 600 bytes (the CRL size generally depends on field and extension textual information length and signing certificate key length). Each revoked certificate entry is about 80 bytes. If 10 certificates are revoked, CRL size will be: 600 + 80 * 10 = 1400 bytes. For 100 revoked certificates the size will be about 9 kilobytes. For 100 000 revoked certificates, the size will be approximately 8 megabytes.
When multiple clients tries to use particular certificate (for example, clients connects to SSL web site) they downloads full CRL (if it is not cached already). This may cause network bandwidth overhead and significant time delays in certificate revocation checking process. Online Responder model was developed to address this issue. When OCSP-aware client checks certificate status, the client extracts serial number from certificate and submits a query to certificate issuer Online Responder service. When request is reached Online Responder, it responds to client with certificate status: Valid or Revoked. In overall certificate request and response have known size ~2 kilobytes. So if a lot of clients connects to particular SSL web site, they are not required to download large CRLs, but just send short requests to OCSP service.
This was a little abstract. For additional information about OCSP please refer to the following documents:
Note: it is recommended to perform steps described below before you setup certification authority (CA).
I assume that you have installed Online Responder Service on separate web server with default settings. It is not recommended to install OCSP Responder on the same computer as CA server.
When you setup OCSP responder using Server Manager, it is installed as virtual directory in the default web site and has the following URL format: WebServerComputer.company.com/ocsp. This is not quite nice URL format, so you may wish to get something like this: ocsp.company.com. Unfortunately there is no standard tools to move OCSP application to another web site. However there are some tricks that allows this.
At this time we have created new web site that will host OCSP Responder service. Now we need to do move application settings from default location to the new created web site. While OCSP implementation in Windows relies on ISAPI only, the only way to move configuration is to edit IIS configuration file.
<location path="Default Web Site/ocsp"> <system.webServer> <handlers accessPolicy="Read, Script"> <clear /> <add name="ISAPI-dll" path="*.dll" verb="*" modules="IsapiModule" resourceType="File" requireAccess="Execute" allowPathInfo="true" /> <add name="AboMapperCustom-107421" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\system32\ocspisapi.dll" requireAccess="None" responseBufferLimit="0" /> <add name="TRACEVerbHandler" path="*" verb="TRACE" modules="ProtocolSupportModule" requireAccess="None" /> <add name="OPTIONSVerbHandler" path="*" verb="OPTIONS" modules="ProtocolSupportModule" requireAccess="None" /> <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" /> </handlers> <security> <authentication> <windowsAuthentication enabled="false" /> <anonymousAuthentication enabled="true" logonMethod="Network" /> <digestAuthentication enabled="false" /> <basicAuthentication enabled="false" logonMethod="Network" /> </authentication> <requestFiltering allowDoubleEscaping="false" /> </security> </system.webServer> </location>
<location path="Default Web Site/ocsp">tag to the following:
<location path="ocsp">. Each <location path="path"> tag represent each web site, web application or virtual directory settings. While our default web site haven't custom settings (actually each web site inherits settings from server scope settings), we'll define new settings for OCSP Responder.
Now you will have to configure certification authority to add this OCSP URL (for example http://ocsp.company.com) to AIA extension. After CA configuration you may have to do refresh OCSP URL in PKIView.msc MMC snap-in. To do this, revoke the most recent CA Exchange certificate and in Command Prompt run the following command:
certutil –cainfo xchg
If all is ok, you may run PKIView.msc MMC snap-in (available on CA server) and check if all is correct. Here is a screenshot from my PKIView.msc snap-in:
I have made this operation for several times and this always works for me. In any case if you have encountered in issues, you may revert all changes and/or contact me for assistance.
Post your comment: