This small HowTo is about the configuration of OCSP (Online Certificate Status Protocol) or the role "Online Responder" on Windows Server 2022.
OCSP (Online Certificate Status Protocol) is a protocol that is used within the PKI. It enables the status of certificates to be checked in real time. Instead of checking the validity of certificates in long certificate revocation lists (CRLs), OCSP can be used to query the current status of a certificate directly from the certification authority. OCSP-compatible software (often VPN clients) therefore no longer need to download the CRL, but can check the status of the certificate directly. Revoked certificates thus become known more quickly and connections are blocked.
Installation Online Responder (OCSP) Role
The Online Responder (OCSP) role can be installed via the server manager. In my small test environment, I only have one domain controller, which is also configured as a certification authority. In productive environments, of course, you would not do this and install separate servers for CA and OCSP. In this simple example, one server has to be used for this:
The role can be configured directly after installation:
In the configuration wizard, you only need to click on "Next" a few times, as there is no further configuration to do here:
Only the "Online responder" role needs to be selected in the wizard:
Click on "Configure" to complete the installation of the role:
You can now continue with the configuration of the certification authority.
Certification authority configuration
In a multi-level PKI, this configuration would be carried out on the Issuing CA. In other words, the CA that issues the certificates for the server and computer. As only the Root CA exists in my test environment, I carry out the configuration on my Root CA. My Root CA is also my Issuing CA.
First, the OCSP URL is entered in the "Authority Information Access (AIA)" configuration. A DNS alias can be used directly here, which makes it easier during a migration. I have decided on the alias "ca.frankysweblab.de", so I enter "http://ca.frankysweblab.de/ocsp" as the URL (the online responder role has created the directory /ocsp in the IIS):
Important: The OCSP URL uses http as the protocol, not https.
In the next step, the checkbox "Include in the online certificate status protocol (OCSP) extension" is activated for the added URL:
As I have decided on a DNS alias (ca.frankysweblab.de), this alias still needs to be created in the DNS. In my case, the alias points to the DC, as I have installed the OCSP role on the DC as already described (please do not implement this in production):
Next, a certificate template is required.
Configuration OSCP certificate template
So that the OCSP service can be configured in the next step, a new certificate template is required for signing the OSCP responses:
The existing "OCSP Response Signing" template can be used for the certificate template. Only the computer account of the OCSP server with "Read / Enroll" rights needs to be added in the template settings:
No further changes need to be made to the template. The new template can now be added to the templates to be issued:
The previously customized template is now selected as the template to be issued:
The only thing missing now is the configuration of the OCSP role.
Configuration OCSP service
Now that all the requirements have been met, all that remains is to configure the online responder role. This is done in the corresponding MMC. A new "Revocation Configuration" is added here:
The name of the revocation configuration should correspond to the CA or at least contain the name:
In the next step, the option "Select a certificate for an Existing enterprise CA" is selected:
Here you can now select the CA for which the "Revocation Configuration" is responsible, in my case there is only my single CA here. For a multi-level CA, select the Issuing CA here. If there are several Issuing CAs, several Revocation Configs can also be created:
The wizard now asks for the Reponse Signing certificate. As a certificate template has already been created, this can now be used:
In the last step, the intervals at which the OCSP service updates the revocation lists can be adjusted under the "Provider" setting. It makes sense to use a short interval here so that OCSP finds out about revoked certificates as quickly as possible and can report this to the client:
The configuration is now complete.
Test
As the configuration of the certification authority has been changed (online responder URL in the AIA configuration), the online responder configuration only applies to all newly issued certificates. Newly issued certificates contain the OCSP URL in the AIA information, certificates already issued before the configuration remain unaffected.
To test the online responder configuration, the MMC provides initial information. Here the signing certificate should have the status OK. If this is not the case, the part with the certificate template should be checked, especially the authorizations:
The OCSP status of a newly issued certificate can be checked with certutil:
certutil -URL test.cer
Verified" should be returned here as the status of a certificate:
