2. Finalizing the Configuration of an Online Responder
If you decided to use online responders, you need to finalize
their configuration. You can link online responders to create an array
of systems that provides high availability for the service. An array
can be as simple as two CAs acting as ORs, or it can include many more
servers.
To finalize the configuration of an online responder, you must
configure and install an OCSP Response Signing certificate and configure an
Authority Information Access (AIA) extension to support
it. After this is done, you must assign the template to a CA and then
enroll the system to obtain the certificate. Use the following
procedure to configure the OCSP Response Signing certificate.
Log on to an issuing CA server, using a domain account with local
administrative access rights. In Server Manager, expand Roles\Active Directory Certificate Services and select
Certificate Templates (servername). Right-click the OCSP Response Signing template and click
Duplicate Template. Select a Windows Server 2008 Enterprise
template and click OK. Type a valid name for the new template, such as OCSP Response Signing WS08. Select the Publish Certificate In Active Directory check box. On the Security tab, under Group Or User Names, click Add,
click Object Types to enable the Computer object type, and click
OK. Type the server name, and then click Check Names or browse
to find the computer that hosts the online responder. Click
OK. Click the computer name and then, in the Permissions section
of the dialog box, select the Read, Enroll, and Autoenroll
permissions in the Allow column. Click OK to create the duplicate template.
Your certificate template is ready. Now you must configure the
AIA extension to support the OR.
Warning:
IMPORTANT ASSIGNING
ACCESS RIGHTS
Normally, you should assign access rights to groups and not to
individual objects in an AD DS directory. Because you will have
several ORs, using a group makes sense. Ideally, you should create a
group in AD DS, name it appropriately (for example, Online
Responders), and add the computer accounts of each OR to this group.
After you do that, you assign the access rights of the OCSP Response
Signing template to the group instead of to the individual systems.
This way, you have to assign these access rights only
once.
Log on to an issuing CA, using a domain account with local
administrative credentials. Launch Server Manager from the Administrative Tools program
group. Expand Roles\Active Directory Certificate
Services\Issuing CA servername. Right-click the issuing CA server in the tree pane and click
Properties. On the Extensions tab, click the Select Extension drop-down
list, and then choose Authority Information Access (AIA). Specify the locations to obtain certificate revocation data.
In this case, select the location beginning with http://. Select the Include In The AIA Extension Of Issued Certificates and the Include In The Online
Certificate Status Protocol (OCSP) Extension check boxes. Click OK to apply the changes. Note that you must stop and restart the AD CS service
because of the change. Click Yes in the Certification Authority
dialog box to do so. Move to the Certificate Templates node under the issuing CA
name in the tree pane, right-click Certificate Templates, point to
New, and then click Certificate Template To Issue. In the Enable Certificate Templates dialog box, select the
new OCSP Response Signing template that you created
earlier and click OK. The new template should appear in the details pane. You now need to verify that the OCSP certificate has been
assigned to the server. You do so with the Certificates snap-in.
By default, this snap-in is not in a console. You must create a
new console to use it. Open the Start menu, type mmc
in the search box, and press Enter. In the MMC, click Add/Remove Snap-in on the File menu to
open the Add Or Remove Snap-ins dialog box. Select the Certificates snap-in and click Add. Select Computer Account and click Next. Select Local Computer and click Finish. Click OK to close the Add Or Remove Snap-ins dialog
box. On the File menu, click Save to save the console and place
it in your Documents folder. Name the console Computer Certificates and click
Save. Expand Certificates\Personal and select Certificates. Right-click Certificates under Personal, point to All Tasks,
and then click Request New Certificate. On the Certificate Enrollment page, make sure the Active
Directory Enrollment Policy is selected and click Next. Select the new OCSP certificate and click Enroll. On the next page, click the down arrow to the right of
Details, and then click View Certificate. Browse through the tabs
to view the certificate details. Note the certificate name. Click
OK. Click Finish to complete this part of the operation. Right-click the new Certificate, point to All Tasks, and
then click Manage Private Keys. On the Security tab, under Group Or User Names, click
Add. In the Select Users, Computers, Service Accounts, Or Groups
dialog box, click Locations and select the local server name.
Click OK. Type Network Service and
click Check Names. Click Network Service, and then, in the Permissions section
of the dialog box, make sure the Allow::Full Control permission is
selected. Click OK to close the dialog box.
Your OR is ready to provide certificate validation information.
Note:
MORE INFO ONLINE
RESPONDER
For more information on the OR service, go to http://technet2.microsoft.com/windowsserver2008/en/library/045d2a97-1bff-43bd-8dea-f2df7e270e1f1033.mspx?mfr=true.
You’ll note that the Online Responder node in Server Manager
also includes an Array Configuration node. When you add other ORs, you
can add them to this array configuration to provide high availability
of the OR service. Complex environments using multitiered hierarchies
have large OR arrays to ensure that all their users and devices can
easily validate their certificates.
2.1. Adding a Revocation Configuration for an Online
Responder
When the OR is ready, add a revocation configuration. Because
each CA that is an OR in an array includes its own certificate, each
also requires a revocation configuration. The revocation
configuration serves requests for specific CA key pairs and
certificates. In addition, you need to update the revocation
configuration for a CA each time you renew its key pair. To create a
Revocation Configuration, perform the following steps:
Log on to an issuing CA, using a domain account that has
local administrative rights. Launch Server Manager from the Administrative Tools
program group. Expand Roles\Active Directory Certificate Services\Online
Responder and select Revocation Configuration. Right-click Revocation Configuration and click Add
Revocation Configuration. On the Welcome page, click Next. On the Name The Revocation Configuration page, assign a
valid name. Because each revocation configuration is tied to a particular
CA, it makes sense to include the CA’s name in the name of the
configuration—for example, RCSERVER04. On the Select CA Certificate Location page, identify the
location from which the certificate can be loaded. You can choose from Active Directory, a local certificate store, or a
file. Choose Select A Certificate For An Existing Enterprise CA
and click Next. Now, the OR must validate that the issuer of the
certificate, in this case the root CA, has a valid certificate.
Two choices are possible: in Active Directory or by computer
name. Because your root CA is offline, choose Browse CA
Certificates Published In Active Directory and click
Browse. Locate the root CA and click OK. After the certificate is selected, the wizard loads the
Online Responder signing templates. Click Next. On the Select Signing Certificate page, you must select a
signing method because the OR signs each response to clients
before it sends it. Three choices are available: Automatic selection loads a certificate from the
OCSP template you created earlier. Manually, you can choose the certificate to
use. CA Certificate uses the certificate from the CA
itself.
Choose Automatically Select A Signing Certificate and
select Auto-Enroll For An OCSP Signing Certificate. Browse for a CA and select the issuing CA. Click
OK. This should automatically select the certificate template
you prepared earlier. Click Next. The wizard initializes the revocation provider. If for
some reason it cannot find it, you must add the provider
manually, as described in the next steps. Click Provider, and then click Add under Base CRLs. For
example, you could use the following HTTP address:
http://localhost/ca.crl. Click OK. Repeat the preceding step for the Delta CRLs
using the same HTTP address, and click OK. However, because you
are obtaining the certificate from Active Directory, the listed
provider is an address in ldap:// format and should be provided
automatically by the wizard. AD CS relies on Lightweight
Directory Access Protocol (LDAP) to obtain information from the AD DS directory store. Click Finish to complete the revocation
configuration.
You should now have a new revocation configuration listed in
the details pane. Repeat this procedure for each CA that is an
OR.
|
