Active Directory 2008: Certificate Services Online Responder Facts…

In addition to using CRLs for publishing a list of revoked certificates, Windows Server 2008 includes the Online Certificate Status Protocol (OCSP) service. With OCSP, a server known as an Online Responder receives and responds to requests from clients for information about the status of revoked certificates. The following process is used by a client to retrieve the certificate status information:

  1. When      a client receives a new certificate, it checks the certificate for      information about how to verify the certificate status. When OCSP is used,      CRL information normally included in the certificate is replaced with an      HTTP URL for one or more online responders.
  2. The      client submits a certificate status request to a listed online responder.      The request is for the status of a single certificate. If multiple      certificates need to be validated, the client submits multiple requests.
  3. The      online responder checks the CRL from the issuing CA.
    • The IIS web proxy service is the       service that accepts client requests. As necessary, this service       communicates with the OCSP service running on the system.
    • If the online responder has a       copy of the CRL in its cache, that CRL is used.
    • If the online responder does not       have a copy of the CRL, one is downloaded from the CA.

Be aware that when using an online responder with Windows Server 2008, a CRL is still required. However, the CRL is cached and checked by the online responder, not by each client.

  1. The      online responder replies with information about the certificate,      indicating whether or not the certificate has been revoked.
    • Each certificate status response       includes a digital signature that validates the certificate status       response.
    • To sign the certificate status       response, the online responder uses a certificate known as an OCSP Response       Signing certificate.
    • The OCSP Response Signing       certificate is issued by the CA, and authorizes the online responder to       respond to queries about the status of certificates issued by that CA.
    • The online responder must obtain       an OCSP Response Signing certificate from each CA for which it is       authorized.

Using an online responder can reduce CRL processing by both the CA and client computers. CRL information is stored on a system that is dedicated to replying to status requests. In addition, network traffic to the client might be reduced due to the fact that the entire CRL is no longer downloaded by each client. However, network traffic could increase because the client must query about the status of each certificate.

Configuring the online responder requires the following process:

Process Description
Install the Online Responder role service To create an online   responder, install the Active Directory Certificate Services with the Online   Responder role service.

  • The server must be running        Windows Server 2008.
  • IIS is required and added during        the installation.
  • The Online Responder can be        added to a server that is a CA. However, Microsoft recommends that you        add the Online Responder role to a server that is not a CA.
Configure the OCSP Response Signing certificate The OCSP Response   Signing certificate is used by the online responder to sign the certification   status responses that it sends in reply to client queries.

If you are using an enterprise CA, duplicate the OCSP   Response Signing certificate template.

  • Use a Windows 2008 (version 3)        certificate if possible. Use a Windows 2003 (version 2) template only if        you need to configure the Online Responder to respond to queries for        certificates issued by Windows Server 2003 CAs
  • Allow the Read and Enroll        permissions to the server that is the online responder. The Autoenroll        permission should not be granted, and could interfere with proper        functioning of the online responder.

You can also   configure a certificate for use by a standalone CA.

Configure each CA to issue the OCSP Response Signing   template A single online   responder can be configured to respond to certificate status requests for   multiple CAs. Configure each CA to issue the OCSP Response Signing template.   This allows the online responder to obtain an OCSP Response Signing   certificate from each CA. This certificate will be used to sign the responses   to queries about certificates issued by that CA.
Configure each CA to include the online responder Each CA that will   use an online responder must be configured to include the online responder   information in the certificates that it issues.

  • On each CA, edit the extensions        list and add an HTTP URL to the Authority Information Access (AIA)        extension list.
  • Use the format: http://servername/ocsp
  • After adding the entry to the        list, select the following option: Include in the online certificate        status protocol (OCSP) extension.
  • If the CA is a Windows Server        2003 server, you must also run a special certutil command to        enable the server to recognize the OCSP extension.

Note: Configuring a CA to use an online responder does not   eliminate the need to configure CRL information, including specifying CRL   distribution points. The CDP list is used by the online responder to locate   CRLs.

Configure revocation configurations on the online   responder A Revocation   Configuration is a configuration entry on the online responder. The   Revocation Configuration contains:

  • The certificate for a CA.
  • The OCSP Response Signing        certificate obtained from that CA.
  • Revocation provider information.        A revocation provider is a method for obtaining information about        revoked certificates. Windows Server 2008 supports only a CRL-based revocation        provider. The revocation provider configuration identifies the location        of CRL distribution points from which the CRL for the CA can be        obtained.

Use the Online   Responder Management console to create Revocation Configurations.

Be aware of the following when configuring the online responder:

  • You      should configure the online responder before configuring a CA to issue      certificates for users or computers. This is because the online responder      information is included in the issued certificates. If you configure an      online responder after a certificate has been issued, hosts will use the      CRL instead of the online responder to validate those certificates.
  • You      can configure one online responder for multiple CAs. This means that      clients can consult a single responder to get the status for certificates      from multiple CAs.
  • To      configure similar revocation provider information for multiple online      responders, create a responder array. The array is a logical      grouping of online responders, each with a common set of configuration      values.
    • One online responder is       designated as the array controller (the master responder). Other       responders are designated as array members.
    • Revocation Configuration       information in the controller is replicated (copied) to array members.
  • The      following table describes additional features you can configure for the      Revocation Configuration on an online responder.
Feature Description
Nonce/no-nonce request support Nonce stands for a number used once. Generally, it is a   random number issued in an authentication protocol to ensure that old   communications cannot be reused in replay attacks. Windows Server 2008 Online   Responder supports configuration options for nonce and no-nonce requests to   prevent replay attacks of Online Responder responses.
Advanced cryptography An Online Responder   can be configured to use elliptic curve cryptography (ECC) and SHA-256   cryptography for cryptographic operations.
Kerberos protocol integration Online Responder   requests and responses can be processed along with Kerberos password   authentication for prompt validation of server certificates at logon.
  • You      can configure a single CA with multiple online responders.
    • If you add multiple online responders       to the AIA extensions for a CA, clients will attempt to use the first       online responder in the list for status queries. Additional responders in       the list are used only if the first responder fails to answer.
    • To provide load balancing across       multiple online responders, use one of the following configurations:
      • Use clustering software such as        Network Load Balancing (NLB) to create a cluster with multiple servers.        Clients submit requests to the cluster. The cluster software distributes        requests among cluster members.
      • Configure an ISA reverse proxy        to create a server farm of online responders. The server farm identifies        each online responder, and automatically distributes incoming requests        to the various online responders. When using this configuration, create        an online responder array to replicate the Revocation Configuration        between online responders.
    • Simply creating an online       responder array does not guarantee load balancing; it only provides a way       to manage multiple online responders, all with identical settings.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s