In addition to using CRLs for publishing a list of revoked certificates, Windows Server 2008 includes the Online Certificate Status Protocol (OCSP) service. With OCSP, a server known as an Online Responder receives and responds to requests from clients for information about the status of revoked certificates. The following process is used by a client to retrieve the certificate status information:
- When a client receives a new certificate, it checks the certificate for information about how to verify the certificate status. When OCSP is used, CRL information normally included in the certificate is replaced with an HTTP URL for one or more online responders.
- The client submits a certificate status request to a listed online responder. The request is for the status of a single certificate. If multiple certificates need to be validated, the client submits multiple requests.
- The online responder checks the CRL from the issuing CA.
- The IIS web proxy service is the service that accepts client requests. As necessary, this service communicates with the OCSP service running on the system.
- If the online responder has a copy of the CRL in its cache, that CRL is used.
- If the online responder does not have a copy of the CRL, one is downloaded from the CA.
Be aware that when using an online responder with Windows Server 2008, a CRL is still required. However, the CRL is cached and checked by the online responder, not by each client.
- The online responder replies with information about the certificate, indicating whether or not the certificate has been revoked.
- Each certificate status response includes a digital signature that validates the certificate status response.
- To sign the certificate status response, the online responder uses a certificate known as an OCSP Response Signing certificate.
- The OCSP Response Signing certificate is issued by the CA, and authorizes the online responder to respond to queries about the status of certificates issued by that CA.
- The online responder must obtain an OCSP Response Signing certificate from each CA for which it is authorized.
Using an online responder can reduce CRL processing by both the CA and client computers. CRL information is stored on a system that is dedicated to replying to status requests. In addition, network traffic to the client might be reduced due to the fact that the entire CRL is no longer downloaded by each client. However, network traffic could increase because the client must query about the status of each certificate.
Configuring the online responder requires the following process:
|Install the Online Responder role service||To create an online responder, install the Active Directory Certificate Services with the Online Responder role service.
|Configure the OCSP Response Signing certificate||The OCSP Response Signing certificate is used by the online responder to sign the certification status responses that it sends in reply to client queries.
If you are using an enterprise CA, duplicate the OCSP Response Signing certificate template.
You can also configure a certificate for use by a standalone CA.
|Configure each CA to issue the OCSP Response Signing template||A single online responder can be configured to respond to certificate status requests for multiple CAs. Configure each CA to issue the OCSP Response Signing template. This allows the online responder to obtain an OCSP Response Signing certificate from each CA. This certificate will be used to sign the responses to queries about certificates issued by that CA.|
|Configure each CA to include the online responder||Each CA that will use an online responder must be configured to include the online responder information in the certificates that it issues.
Note: Configuring a CA to use an online responder does not eliminate the need to configure CRL information, including specifying CRL distribution points. The CDP list is used by the online responder to locate CRLs.
|Configure revocation configurations on the online responder||A Revocation Configuration is a configuration entry on the online responder. The Revocation Configuration contains:
Use the Online Responder Management console to create Revocation Configurations.
Be aware of the following when configuring the online responder:
- You should configure the online responder before configuring a CA to issue certificates for users or computers. This is because the online responder information is included in the issued certificates. If you configure an online responder after a certificate has been issued, hosts will use the CRL instead of the online responder to validate those certificates.
- You can configure one online responder for multiple CAs. This means that clients can consult a single responder to get the status for certificates from multiple CAs.
- To configure similar revocation provider information for multiple online responders, create a responder array. The array is a logical grouping of online responders, each with a common set of configuration values.
- One online responder is designated as the array controller (the master responder). Other responders are designated as array members.
- Revocation Configuration information in the controller is replicated (copied) to array members.
- The following table describes additional features you can configure for the Revocation Configuration on an online responder.
|Nonce/no-nonce request support||Nonce stands for a number used once. Generally, it is a random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. Windows Server 2008 Online Responder supports configuration options for nonce and no-nonce requests to prevent replay attacks of Online Responder responses.|
|Advanced cryptography||An Online Responder can be configured to use elliptic curve cryptography (ECC) and SHA-256 cryptography for cryptographic operations.|
|Kerberos protocol integration||Online Responder requests and responses can be processed along with Kerberos password authentication for prompt validation of server certificates at logon.|
- You can configure a single CA with multiple online responders.
- If you add multiple online responders to the AIA extensions for a CA, clients will attempt to use the first online responder in the list for status queries. Additional responders in the list are used only if the first responder fails to answer.
- To provide load balancing across multiple online responders, use one of the following configurations:
- Use clustering software such as Network Load Balancing (NLB) to create a cluster with multiple servers. Clients submit requests to the cluster. The cluster software distributes requests among cluster members.
- Configure an ISA reverse proxy to create a server farm of online responders. The server farm identifies each online responder, and automatically distributes incoming requests to the various online responders. When using this configuration, create an online responder array to replicate the Revocation Configuration between online responders.
- Simply creating an online responder array does not guarantee load balancing; it only provides a way to manage multiple online responders, all with identical settings.