Recently I decided to perform little changes on my OCSP Responder. I'm using offline CA (root) and have configured to include OCSP URL to all issued certificates. But some time I haven't OCSP configuration for  my root CA. And today I have completed all changes and now Root CA issues OCSP signing certs for appropriate OCSP configuration.

You can find required info about the subject on TechNet: Online Responder Installation, Configuration, and Troubleshooting Guide or in AskDS blog: Implementing an OCSP responder: Part IV - Configuring OCSP for use with Standalone CAs. However both links contains incorrect settings, therefore I'll post correct steps.

Assuming that OCSP Responder role is installed on a dedicated server (this is not a good practice to combine OCSP with Certification Authority role. However you can combine OCSP with Web enrollment and/or HTTP enrollment roles) and have Standalone CA running Windows Server 2003/2008/2008 R2.

Prepare offline OCSP certificate request

Log on to OCSP server with local administrator permissions. There are no special domain permissions, so local administrator will be enough for you. Administrator permissions will be required for all operations described below.

On the desktop create a text file, for example 'ocsprequest.txt' and type the following text:

[NewRequest]
Subject = "CN=Root CA OCSP Signing,OU=corp,O=Company Name,C=US"
MachineKeySet = True
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
KeyLength = 2048
[EnhancedKeyUsageExtension]
OID="1.3.6.1.5.5.7.3.9"

NEVER mark private keys as exportable unless this is user encryption certificate. You MUST NEVER mark private keys as exportable especially for computer certificates. Since OCSP Signing certificate never checked for revocation you should carefully use this certificate, because if the key is compromised, you cannot revoke this certificate!

You should edit Subject string to your custom values. Actually it is not necessary to set file extension as INF, because CertReq utility can read from TXT as well as from INF files. Run Command Prompt in elevated mode (by right-clicking on Command Prompt shortcut and pressing Run As Administrator). In the CMD type the following command:

certreq –new desktop\ocsprequest.txt desktop\ocsprequest.req

This will save a request file on your desktop. Copy request file (with .REQ extension) to a standalone CA using any removable media.

Prepare Standalone CA

Standalone CAs by default don't support id-pkix-ocsp-nocheck extension, so you will have to add this by running the following commands in elevated Command Prompt:

certutil -v -setreg policy\EditFlags +EDITF_ENABLEOCSPREVNOCHECK
certutil -v -setreg policy\EnableRequestExtensionList +1.3.6.1.5.5.7.48.1.5

The next thing we need to configure — certificate validity period. Since Standalone CA don't use certificate templates and certificate validity period is calculated as least from two values:

  • ValidityPeriod
  • Estimated CA certificate lifetime

By default ValidityPeriod property is set to 1 year. Since Standalone CAs used as a root and Policy CAs it is common to extend issued certificate validity period to 5, 10 or 15 years. However this would uncommon to set OCSP Response Signing certificate validity period to 15 years. 1 to 5 year would be enough for this scenario. Now we capture current validity period for issued certificates:

certutil –getreg ca\validityperiodunits

And configure new ValidityPeriod value as shown:

certutil -setreg ca\ValidityPeriodUnits 5
net stop certsvc
net start certsvc

Note: don't forget to return this value to the original value after OCSP signing certificate issuance procedure.

We are ready to submit our request to CA. In the opened elevated Command Prompt window type:

certreq –submit path\ocsprequest.req

In the dialog box select required CA server (usually there will be only local CA) and press Ok. You will see request ID and a message that the request is pending. Now open CertSrv.msc MMC snap-in and expand Pending Requests node. Locate request with required ID, right-click on it and click All tasks –> Issue. Switch to Issued Certificates node, locate the last certificate, open it, switch to Details tab and click Copy to file. Export the certificate to a file and transfer the file back to OCSP server.

Confgure OCSP Responder

We need to install issued certificate to certificate store. In the elevated Command Prompt type:

certreq –accept path\ocspcert.cer

if you don't see any errors, open ocsp.msc MMC snap-in.

  1. In the console select
  2. In the
  3. In the
  4. In the
  5. In the
  6. In the
  7. In
  8. Expand
  9. Right-click on

When you setup revocation configuration for Enterprise CAs the wizard automatically retrieves CA CRL URLs, but when you create revocation configuration for Standalone CAs and CAs running Windows 2000/Server 2003 the wizard don't retrieves CA CRL URLs. This is because the wizard uses ICertAdmin2::GetCAProperty(CR_PROP_CERTCDPURLS). This property is not available in Windows 2000/Server 2003 and Standalone CAs usually are disconnected from the network and are not accessible via DCOM.

You should see a green icon for newly created revocation configuration. Now you can test your OCSP by using PKIView.msc, certutil.exe or other commercial (for example from Ascertia) tools.


Share this article:

Comments:


Post your comment:

Please, solve this little equation and enter result below. Captcha