Integration with KeySecure
This chapter outlines the steps to install and integrate OCSP with KeySecure.
Prepare for Integration
It is recommended that you are familiar with Microsoft OCSP and the respective setup process. Refer to the Microsoft OCSP documentation for more information and installation prerequisites.
Set up Enterprise Root Certificate Authority
An enterprise root CA is used to issue certificates to the Online Responder service, client computers, and publish certificate information to the Active Directory Domain Services (AD DS).
Log on to OCSPCA as a Domain Administrator.
From the Start menu, select Control Panel > Administrative Tools > Server Manager.
On the Roles Summary screen, click Add Roles.
On the Welcome screen, click Next.
On the Select Server Roles window, select Active Directory Certificate Services, and click Next twice.
Select the Certification Authority and Certification Authority Web Enrollment.
For more details on setup, refer to the AD CS setup guide.
Install the Online Responder Service
Log on to OCSPSERV as a domain administrator.
From the Start menu, select Control Panel > Administrative Tools > Server Manager.
Expand the Roles section and click Active Directory Certificate Services.
At the bottom right-hand section, click Add Role Services.
From the Select Role Services section, select Online Responder. A pop-up is displayed asking you to install IIS 7.
Click Add Required Role Services and when the pop-up disappears, click Next twice.
In the Select Role Services window for Web Server (IIS), accept the default values and click Next.
In the Confirm Installation Selections window, check that everything is correct and click Install.
Once the set-up is complete, check that there are no errors, and click Close.
Configure CA to Issue OCSP Response Signing Certificates
Configuring a CA to support Online Responder services involves configuring certificate templates and issuing properties for OCSP Response Signing certificates. There are also other steps to be completed on the CA so that it can support the Online Responder and issuing a certificate.
Configuring certificate templates for your environment
Log on to OCSPCA as a domain administrator.
Go to Start > Run.
In the Run dialog box, type mmc and click OK.
In the mmc console that appears, select File > Add/Remove Snap-in.
In the Add or Remove Snap-Ins dialog box, select the Certificate Templates snap-in under the Available snap-ins section.
Click Add, and then click OK.
Under Console Root expand Certificate Templates snap-in. All the available certificate templates that you can issue with your CA are listed in the middle section.
Scroll down the list until you locate the OCSP Response Signing template. Right-click the OCSP Response Signing template and click Properties.
In the Properties window, click the General tab.
Select Publish Certificate in Active Directory check box.
Set the Validity Period and Renewal Period.
Go to Security tab and click Add.
In the Select User, Computers, or Groups dialog, click on object Types and select Computers from the options, and click OK. Further, specify the name of computer hosting online responder service.
In the Permissions area, ensure that Read, Enroll, and Autoenroll check boxes are selected.
For Domain Admins and Enterprise Admins, ensure that the Read, Write, Enroll, and Autoenroll check boxes are selected.
Click Apply and then OK.
Click on the Cryptography tab and select Requests must use one of the following providers radio button.
Under providers section, select CipherTrust Application Data Protection Key Storage Provider.
Click Apply and then OK.
Configuring the CA to Support the Online Responder Service
Log on to OCSPCA as a domain administrator.
Go to Control Panel > Administrative Tools > Certification Authority.
In the console tree on the left, click on the CA.
Navigate to the Action menu and click Properties.
Under Security tab, click Add.
In the Select User, Computers, or Groups dialog, type the name of the machine which is hosting the Online Responder service, and click OK.
In the Permissions area, ensure that the Request Certificate check box is selected.
For Domain Admins, Enterprise Admins, and Administrators, make sure that Issue and Manage Certificate, Manage CA, and Request Certificate check boxes are selected.
Under Extensions tab:
select the Authority Information Access (AIA) from the Select extension drop-down.
click Add to specify the location from which users can obtain the certificate for the selected CA.
In the Add Location dialog box, specify the URL in the following format and click OK.
http://<nameofcomputerhostingOCSPhere>/ocsp
. For example, the address when using OCSP would be http://OCSPSERV/ocsp.Under Extensions tab, ensure that the URL that is just added to the locations area is highlighted. Ensure that the check boxes next to Include in the AIA extension of issued certificates and Include in the online certificate status protocol (OCSP) extension are selected.
Click Apply and let the service restart, and click OK.
In console tree of the Certification Authority snap-in, right-click Certificate Templates, and click New > Certificate Templates to Issue.
In Enable Certificates Templates dialogue, select the OCSP Response Signing template and any other certificate templates you configured previously, and then click OK.
Create Revocation Configuration
A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued by using a specific CA key.
Install CADP Key Storage provider
Install the CADP Provider on the machine on which you are installing the online responder so that it can communicate with KeySecure and get the signing key certificate.
Modify Online Responder service to use CipherTrust KMS
To use OCSP with KeySecure, the Online Responder service must be changed so that KeySecure can be used to protect the OCSP signing keys.
Log on to OCSPSERV as a domain administrator.
Go to Start > Control Panel > Administrative Tools > Services.
Right-click on the Online Responder Service and select Properties.
In the dialog box that is displayed, select the Log on tab.
Under the Log on tab:
select the Local System account radio button.
ensure that Allow service to interact with desktop checkbox is enabled.
Click Apply and then OK.
In the Services window, right-click on the Online Responder Service and click Restart.
Setup Revocation Configuration
Log on to OCSPSERV as a domain administrator.
Go to Start > Control Panel > Administrative Tools > Online Responder Management.
From the left pane, click Revocation Configuration.
From the right pane, under Actions, click Add Revocation Configuration.
On the Getting started with adding a revocation configuration section screen, click Next.
On the Name the Revocation Configuration screen, specify the configuration name, and click Next.
On the Select CA Certificate Location screen, ensure that radio button next to Select a certificate for an Existing enterprise CA is selected, and click Next.
On the Choose CA Certificate screen, ensure that radio button next to Browse CA certificates published in Active Directory is selected, and click Browse.
In the Select Certification Authority dialog box, select the CA authority (in this case OCSPCA), and click OK and then Next.
On the Select Signing Certificate screen:
- accept the default setting Automatically select a signing certificate.
- ensure that Auto-enroll for OCSP signing certificate is selected.
Click Next.
On the Revocation Provider screen, click Finish.
In the Online Responder Management tool > Actions, click Refresh.
In the left pane, click on Online Responder: Computer Name and check that the Revocation Configuration Status is displayed as Working.
Auto-enrollment Verification
We will now verify that the certificate will auto-renew after the expiry. Verification of auto renewal involves the expiration of the generated certificate and renewal of the certificate using new key pair.
Viewing generated certificate and key pair
Log on to OCSPSERV as a domain administrator.
Go to Start > Run.
In the Run dialog, type mmc and click OK.
In the mmc console, select File > Add/Remove Snap-in.
In the Add or Remove Snap-Ins dialog box, select the Certificate snap-in.
Click Add, select Service Account, and click Next.
Select Local Computer, and click Next.
Under Certificate Snap-in, click on Online Responder Services in Service Account, and click Finish.
Click OK and expand the Online Responder Services tree.
Expand the OCSPSvc\CertificateName and double click on Certificates.
Double click on the respective certificate to display.
Click the Details tab and verify Valid From and Valid To date of certificate.
You can connect with the KeySecure to verify the key pair which was generated corresponding to the certificate.