Microsoft OCSP
This guide outlines step-by-step instructions for seamlessly integrating Microsoft OCSP (Online Certificate Status Protocol) with a Luna HSM device or Luna Cloud HSM service. Microsoft OCSP is a critical component of cybersecurity that allows users to verify the validity and revocation status of digital certificates, such as those used for secure web connections. It ensures that users can trust the security of online services, protecting them from potential security threats associated with expired or compromised certificates.
The key benefits of this integration are:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration has been tested and verified on the following platforms:
| HSM Type | Platform Tested |
|---|---|
| Luna HSM | Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 |
| Luna Cloud HSM | Windows Server 2019 Windows Server 2016 |
This integration been tested using Luna Client in both High Availability (HA) and FIPS-compliant modes.
Prerequisites
The prerequisites for this integration are:
Set up Luna HSM
As the first step to accomplish this integration, you need to set up either On-Premise Luna HSM or Luna Cloud HSM.
Set up On-Premise Luna HSM
Follow these steps to set up your on-premise Luna HSM:
Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.
Create a partition that will be later on used by Microsoft OCSP.
Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.
Initialize Crypto Officer and Crypto User roles for the registered partition.
Run the following command to verify that the partition has been successfully registered and configured:
C:\Program Files\SafeNet\LunaClient>lunacm.exe
Upon successful execution, you should observe an output similar to the example provided below:
lunacm.exe (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved. Available HSMs: Slot Id -> 0 Label -> OCSP Serial Number -> 1213475834492 Model -> LunaSA 7.3.0 Firmware Version -> 7.3.0 Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot
Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.
To ensure the correct configuration of a PED-based Luna HSM, make sure that the ProtectedAuthenticationPathFlagStatus is set to 1 within the Misc section of the Chrystoki.conf file.
Set up Luna HSM High-Availability Group
Refer to Luna HSM documentation for HA steps and details regarding configuring and setting up two or more HSM boxes on host systems. You must enable the HAOnly setting in HA for failover to work so that if the primary goes down due to any reason, all calls get automatically routed to the secondary until the primary recovers and starts up.
Set up Luna HSM in FIPS Mode
To configure Luna HSM in FIPS Mode, it's important to ensure that your RSA key generation methods comply with FIPS 186-3/4 standards. Specifically, FIPS 186-3/4 approves two methods for generating keys: 186-3 with primes and 186-3 with aux primes. This means that RSA PKCS and X9.31 key generation methods are no longer allowed when operating your Luna HSM in a FIPS-compliant mode. When using the Luna HSM in FIPS mode, you should make adjustments to your configuration settings by following these steps:
Open the configuration file for your Luna HSM.
Look for the [Misc] section within the configuration file.
Add or modify the following setting within the [Misc] section:
RSAKeyGenMechRemap=1
This setting instructs the Luna HSM to redirect older key generation mechanisms to the newly approved mechanism when the HSM is operating in FIPS mode.
This adjustment is not necessary for the Universal Client.
This configuration change applies exclusively to Luna Client 7.x.
Set up Luna Cloud HSM
The following steps are applicable for setting up the Luna Cloud HSM on a Windows environment:
Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means
Extract the .zip file into a directory on your client workstation.
Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.
cvclient-min.zip
Run the setenv script to generate a new configuration file with the necessary information for the Luna Cloud HSM service. Right-click setenv.cmd and select Run as Administrator.
To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.
Run the LunaCM utility and verify that the Cloud HSM service is listed.
If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.
Set up Microsoft OCSP
To set up Microsoft OCSP, please follow these steps:
All machines involved in the OCSP setup must have Domain Administrator privileges.
Option 1: Install OCSP and CA on Separate Machines
Prepare the Machines:
-
OCSPCA: This Windows Server machine will serve as a Domain Controller and Certificate Authority (CA).
-
OCSPSERV: This Windows Server machine will function as the OCSP Server.
-
OCSPCL: This Windows machine will be used as a client to submit enrollment requests to the CA.
Install Microsoft OCSP on the OCSPSERV machine.
Configure OCSP on the OCSPSERV machine.
Option 2: Combine OCSP and CA on a Single Machine
Prepare the Machines:
-
OCSPDC: Set up a Windows Server machine as the Domain Controller.
-
OCSPSERV: This Windows Server machine will be used as both the Certificate Authority (CA) and OCSP Server.
-
OCSPCL: Prepare a Windows machine to act as a client for submitting enrollment requests to the CA.
Install Microsoft OCSP on the OCSPSERV machine.
Configure OCSP on the OCSPSERV machine.
Register the Security Library
If you want to generate CA certificate keys on Luna HSM or Luna Cloud HSM, start by installing the Key Storage Provider (KSP). This is crucial for the generation of certificate keys. For detailed information on configuring and registering the SafeNet KSP, please refer to the Register SafeNet Key Storage Provider section below. You'll find the necessary tool, KspConfig.exe, in the Luna Client installation directory or within the HSMoD service client package.
Alternatively, if you wish to generate OCSP signing keys using the Cryptographic Service Provider (CSP), you must also register the CSP. Find more details on configuring and registering SafeNet CSP in the Register the SafeNet CSP section.
If your setup involves configuring Microsoft OCSP on multiple systems, remember that the SafeNet Key Storage Provider must be configured on both the Certificate Authority and OCSP server systems. This ensures a consistent and secure configuration across all your systems.
Register SafeNet Key Storage Provider
To effectively register the SafeNet Key Storage Provider (KSP), follow these steps:
Navigate to the KSP Installation Directory: Begin by locating the installation directory for the SafeNet Key Storage Provider (KSP).
Execute KspConfig.exe: Execute the KspConfig.exe tool, which can typically be found in the KSP installation directory.
Regist the Security Library: In the user interface, double-click Register Or View Security Library, located on the left side of the window. Select Browse to locate the cryptoki.dll file. You can find this file in the Luna Client installation folder or within the Luna Cloud HSM service client package. Once selected, click Register. A confirmation message will appear on the screen upon successful registration. Click OK.
Register HSM Slots: Double-click Register HSM Slots on the left side of the window. Register a slot for the Administrator user by following these steps:
-
Open the Register for User drop-down menu and select ADMINISTRATOR.
-
In the Domain drop-down menu, choose your domain.
-
Select the relevant service or partition from the Available Slots drop-down menu.
-
Enter the slot password.
-
Click Register Slot.
-
Upon successful registration, a confirmation message will appear. Click OK to proceed.
Register for NT_AUTHORITY\SYSTEM User: Register the same service or partition for the NT_AUTHORITY\SYSTEM user.
Register SafeNet Cryptographic Service Provider
To register the SafeNet Cryptographic Service Provider (CSP) for OCSP signing using CSP-generated keys, follow these steps:
Log in as Domain Administrator: Begin by logging in to the OCSP Server with your domain administrator credentials.
Run the Registration Command: Execute the registration command, register.exe, to register Luna CSP:
C:\Program Files\SafeNet\LunaClient\CSP>register.exe
You will be prompted to provide the partition password.
Verify Luna CSP: To verify the presence of Luna CSP, list the Luna Cryptographic Services for Microsoft Windows by running the following command:
C:\Program Files\SafeNet\LunaClient\CSP>register.exe /l
Restart the Server: To apply the changes made during registration, it's essential to restart the server.
If you intend to utilize CSP-generated OCSP signing keys, the registration of the SafeNet CSP is a mandatory step. Additionally, for configurations involving Microsoft OCSP on multiple systems, make sure to configure and register the SafeNet CSP on both the Certificate Authority and OCSP server systems. This ensures consistent and secure operation across all systems.
Integrate Microsoft OSCP with Luna HSM
To enable Luna HSMs for the OCSP, undertake the following procedures:
Set Up an Enterprise Root Certificate Authority
Install the online responder service
Configure CA for OCSP Response Signing Certificates
Create a revocation configuration
Set Up an Enterprise Root Certificate Authority
Establishing an enterprise root certificate authority is vital, as it enables the issuance of certificates for both the online responder service and client computers. Additionally, it facilitates the publication of certificate information to Active Directory Domain Services (ADDS). To configure an enterprise root CA, install ADCS and CA role, and then configure ADCS and CA role.
Install ADCS and CA role
Follow these steps to install the Active Directory Certificate Services (ADCS) along with the CA role:
If you plan to install both the CA and OCSP on the same machine, make sure to log in to the machine named OCSPSERV to install the CA role.
Log in to OCSPCA as a Domain Administrator.
Access the Server Manager by selecting Administrative Tools from the Start menu.
In the Server Manager Dashboard, click Manage, and then select Add Roles and Features.
In the Add Roles and Features Wizard, click Next.
On the Installation Type page, select the Role-based or feature-based installation option and click Next.
Choose a server from the server pool on the Server Selection screen and click Next.
From the Roles list, select Active Directory Certificate Services and click Add Features. Then, click Next.
On the Role Services page, select the Certificate Authority and Certificate Authority Web Enrollment check boxes. Click Add Features and Next.
On the Features page, click Next.
On the ADCS page, click Next.
Check the box that says Restart the destination server automatically if required. You'll see a confirmation message. Click Yes to proceed.
On the confirmation page, click on the Install button. Allow the installation process to finish.
Configure ADCS and CA role
Follow these steps to configure ADCS and CA role:
If you are proceeding from the previous step, select Configure Active Directory Certificate Server on the destination server. Alternatively, you can access the ADCS Configuration Wizard by clicking the Notification Flag and configuring the server role.
On the Credentials page, click Next.
On the Role Services page, select the Certificate Authority and Certificate Authority Web Enrollment check boxes. Click Next.
On the Setup Type page, select Enterprise CA. Click Next.
On the CA Type page, select the Root CA radio button and click Next.
On the Private Key page, select the Create a new private key check box. Click Next.
In the Cryptography for CA window, select and configure the provider for the CA. Ensure the availability of the following cryptographic providers for use:
RSA#SafeNet Key Storage Provider
DSA#SafeNet Key Storage Provider
ECDSA_P256#SafeNet Key Storage Provider
ECDSA_P384#SafeNet Key Storage Provider
ECDSA_P521#SafeNet Key Storage Provider
If you don't see these objects listed under the Cryptographic Provider drop-down menu, it's essential to verify your KSP/CSP Registration.
Make sure to use the sha hashing algorithm for secure configuration.
After selecting and setting up the Cryptographic Provider, click Next.
On the Configure CA Name page, enter the CA Name or accept the default CA name. Click Next.
On the Validity Period page, specify the certificate validity period. Click Next.
Specify the database location or accept the default location on the Certificate Database page and click Next.
Ensure the suitability of the CA configuration before proceeding. Click Configure and patiently await the confirmation message. If all settings are correct, the Configuration succeeded message will be displayed upon the successful completion of the configuration process.
Click Close to exit the ADCS Configuration wizard.
Install the online responder service
Follow these steps to install the online responder service:
Log on to OCSPSERV as a domain administrator.
Open the Start menu and select Administrative Tools, then click Server Manager.
Within the Server Manager Dashboard, click Manage in the right pane, and then select Add Roles and Features.
In the Add Roles and Features Wizard, click Next to initiate the installation process.
On the Installation Type page, choose the Role-based or feature-based installation option, and click Next.
On the Server Selection screen, tick the Select a server from the server pool box and choose the listed server. Then, click Next.
In the Roles list, check the Active Directory Certificate Services box. This will prompt the Add features dialog. Click Add Features to add the necessary features for the server role. Click Next.
Proceed to the Features page and click Next.
On the ADCS page, click Next.
On the Role Services page, uncheck the Certification Authority box and select the Online Responder box. This will open the Add Features dialog. Click Add Features to add the required components for the server role. Click Next.
Continue to the Features page and click Next.
Select the Restart the destination server automatically if required check box. A confirmation message will appear. Click Yes.
On the Confirmation page, click Install.
Click Configure Active Directory Certificate Server on the destination server. This action opens the ADCS Configuration Wizard. Alternatively, you can access the ADCS Configuration Wizard by clicking the Notification Flag.
On the Credentials page, click Next.
On the Role Services page, select the Online Responder check box and click Next.
On the Confirmation page, click Configure and wait for the confirmation message. You'll receive a message upon successful configuration.
On the Results page, click Close to exit the ADCS Configuration Wizard.
Configure CA for OCSP Response Signing Certificates
If you've installed the CA and OCSP on the same machine, complete this procedure on OCSPSERV to configure OCSP Response Signing Certificates.
Configure certificate templates using SafeNet KSP
To set up certificate templates using SafeNet KSP, proceed as follows:
If you intend to generate OCSP signing keys using SafeNet CSP instead of SafeNet KSP, please refer to Configure Certificate Templates Using SafeNet CSP.
Log in to OCSPCA as a domain administrator.
Click Search, type MMC, and press Enter to open the console.
In the MMC console, select File and choose Add/Remove Snap-in.
In the Add or Remove Snap-Ins dialog box, locate and select the Certificate Templates snap-in from the Available snap-ins section.
Click Add, and then click OK.
Within the Console Root, expand the Certificate Templates snap-in to view a list of all the certificate templates that the CA is capable of issuing.
Scroll down the list of certificate templates until you find the OCSP Response Signing template. Right-click the template and choose Properties to open the Template Properties dialog.
In the Template Properties dialog, switch to the General tab and select the Publish Certificate in the Active Directory check box.
Specify the desired Validity Period and Renewal Period. Note that, for testing purposes, this guide assumes a validity period of four hours and a renewal period of one hour for auto-renewal.
Switch to the Security tab and click Add. This opens the Select User, Computers, Service Accounts, or Groups dialog.
Enter the name of the machine hosting the Online Responder service. In this case, the machine name is OCSPSERV.
Click OK, and another dialog will appear as the system attempts to locate the machine.
Click Object Types, select the Computers check box, and click OK.
Re-enter OCSPSERV in the Select User, Computers, Service Accounts, or Groups dialog and click OK. The machine hosting the Online Responder will be added to the Group and user names area under the Security tab.
Click OCSPSERV in the Group and user names area.
Select the Read, Enroll, and Autoenroll check boxes.
Ensure that the Read, Write, Enroll, and Autoenroll check boxes are also selected for both Domain Admins and Enterprise Admins. Click Apply.
Switch to the Cryptography tab and select the Requests must use one of the following providers radio button. The dialog below the radio button will become active.
Choose SafeNet Key Storage Provider from the available options.
Click Apply and then OK to save your settings.
Configure certificate templates using SafeNet CSP
To set up certificate templates using SafeNet OCSP, follow these steps:
Ensure that you have registered the CSP on both the OCSPCA and OCSPSERV systems.
Log in to OCSPCA as a domain administrator.
Click the Search menu, type MMC, and press Enter to open the console.
In the MMC console, select File and choose Add/Remove Snap-in.
In the Add or Remove Snap-Ins dialog box, locate and select the Certificate Templates snap-in from the Available snap-ins section.
Click Add, and then click OK.
Within the Console Root, expand the Certificate Templates snap-in to view a list of all the certificate templates that the CA is capable of issuing.
Scroll down the list of certificate templates until you find the OCSP Response Signing template. Right-click the OCSP Response Signing Template and select Duplicate Template.
In the pop-up dialog box, click the Compatibility tab.
In Compatibility Settings, under Certificate Authority, select Windows Server 2003. This action will prmpt the Resulting Changes to appear. Confirm your selection by clicking OK.
Under Certificate recipient, select Windows XP / Server 2003. The Resulting Changes window will appear. Click OK.
Click the General tab. Enter the name of the template in Template display name.
Select the Publish Certificate in the Active Directory check box.
Specify the desired Validity Period and Renewal Period. For testing purposes, this guide assumes a validity period of four hours and a renewal period of one hour for auto-renewal.
Click Security and select Add. This opens the Select User, Computers, Service Accounts, or Groups dialog.
Enter the name of the machine (OCSPSERV) hosting the Online Responder service.
Click Object Types, select the Computers check box, and click OK.
Re-enter OCSPSERV in the Select User, Computers, Service Accounts, or Groups dialog and click OK.
Click OCSPSERV in the Group and user names area.
Select the Read, Enroll, and Autoenroll check boxes.
Ensure that the Read, Write, Enroll, and Autoenroll check boxes are selected for both Domain Admins and Enterprise Admins. Click Apply.
Click the Cryptography tab and select the Requests must use one of the following providers radio button. The dialog below the radio button will become active.
Choose Luna Cryptographic Services for Microsoft Windows from the available options.
Click Apply and then OK.
Configure the CA to Support the Online Responder Service
After configuring the certificate templates and issuing properties for OCSP Response Signing Certificates, proceed with the following steps to configure the CA for supporting the Online Responder service:
Sign in to OCSPCA as a domain administrator.
From the Start menu, navigate to Administrative Tools, and click Certification Authority.
In the console tree on the left, click the name of your Certification Authority (CA).
Open the Action menu and select Properties.
Click the Security tab and then select Add. This action will open the Select User, Computers, Service Accounts, or Groups dialog.
Enter the name of the machine hosting the Online Responder service, such as OCSPSERV.
Click OK. If the system cannot locate the machine, another dialog will appear.
Click Object Types, select the Computers checkbox, and click OK.
Enter OCSPSERV once again in the Select User, Computers, Service Accounts or Groups dialog and click OK. The machine hosting the Online Responder will be added to the Group and user names section under the Security tab.
Click OCSPSERV in the Group and user names area. In the Permissions section, select the Request Certificate checkbox.
Ensure that the Issue and Manage Certificates, Manage CA, and Request Certificates checkboxes are selected for Domain Admins, Enterprise Admins, and Administrators.
Move to the Extensions tab. In the Select extension list, click Authority Information Access (AIA).
Click Add. In the Add Location dialog, type http://<computer_name_hosting_OCSP>/ocsp under Location.For example, if you are using OCSPSERV, the address would be http://OCSPSERV/ocsp.
Click OK.
Ensure that the recently added URL is highlighted.
Select both Include in the AIA extension of issued certificates and Include in the online certificate status protocol (OCSP) extension checkboxes.
Click Apply and confirm the restart of Active Directory Certificate Services by selecting Yes.
After the services restart, click OK.
In the Certification Authority snap-in's console tree, right-click Certificate Templates, and select New Certificate Templates to Issue.
In the Enable Certificates Templates dialog, select the OCSP Response Signing template and any other previously configured certificate templates. Click OK.
Open Certificate Templates in the Certification Authority to verify that the modified certificate templates are included in the list.
Create a revocation configuration
A revocation configuration includes all of the settings required to respond to status requests regarding certificates issued by a specific CA key. To creating a revocation configuration, you need to modify online responder service to use Luna HSMs, and then set up revocation configuration.
Modify online responder service to use Luna HSMs
To use OCSP with Luna HSMs or Luna Cloud HSM services and protect OCSP signing keys, configure the online responder service. Here's how:
Log in to OCSPSERV as a domain administrator.
From the Start menu, go to Administrative Tools and select Services.
Locate the Online Responder Service in the list of services.
Right-click the Online Responder Service and choose Properties.
In the dialog box, select the Log On tab.
Under Log on as, choose the Local System Account radio button and enable the Allow services to interact with desktop checkbox.
Click Apply and then OK.
Return to the services window. Right-click the Online Responder Service and select Restart. Wait for the service to start again and then close the service window.
Set up revocation configuration
Once the online responder service is configured to use the HSM for protecting the OCSP signing keys, you can set up the certificate revocation configuration. Follow these steps:
Log in to OCSPSERV as a domain administrator.
From the Start menu, select Administrative Tools and click Online Responder Management.
In the left-hand pane, choose Revocation Configuration.
In the right-hand pane, under Actions, click Add Revocation Configuration. A dialog window appears.
In the Getting Started with Adding a Revocation Configuration section, click Next.
In the Name the Revocation Configuration section, provide a name for the configuration (e.g., Test) and click Next.
In the Select CA Certificate Location window, ensure the Select a certificate for an Existing enterprise CA radio button is selected and click Next.
In the Choose CA Certificate section, select the Browse CA certificates published in Active Directory radio button and click Browse.
In the Select Certification Authority dialog box, choose the CA authority (in this case OCSPCA) and click OK. Click Next.
In the Select Signing Certificate window, accept the default setting Automatically select a signing certificate and check the Auto-enroll for OCSP signing certificate checkbox. Click Next.
In the Revocation Provider window, click Finish. Once the wizard completes, the Revocation Configuration Status Box will display the Online Responder status as Bad Signing on Array Controller.
To resolve this, click Revocation Configuration in the left-hand pane. The certificate will be visible in the right pane.
Right-click the certificate and select Edit Properties.
Click the Signing tab. Uncheck the Do not prompt for credentials for cryptographic operations box. Click OK.
Return to the Online Responder Management tool. Open Actions and click Refresh.
In the left-hand pane, click Online Responder: Computer Name and ensure that the Revocation Configuration Status Box shows Working.
Verify auto-enrollment
To verify the successful auto-enrollment of a newly generated certificate, you need to verify a generated certificate and key pair, and then verify a renewed certificate and key pair.
Verify a generated certificate and key pair
Log in to OCSPSERV as a domain administrator.
Press the Windows key, type MMC, and press Enter to open the console.
In the MMC console, go to File and select Add/Remove Snap-in...
In the Add or Remove Snap-Ins dialog box, find the Certificate snap-in under the Available snap-ins section and select it.
Click Add, choose Service Account, and click Next.
Select Local Computer, and click Next.
Under Certificate Snap-in, click on Online Responder Services in Service Account and click Finish.
Click OK and expand the Online Responder Services tree.
Expand OCSPSvc\CertificateName (for instance, OCSPSvc_test_) and then double-click on Certificates.
A certificate will be presented. Double-click the certificate to view its properties.
Click the Details tab and verify the Valid From and Valid To dates of the certificate, which should indicate the certificate expires within the next four hours.
The Luna HSM partition should show the key pair for the CA certificate and online responder service certificate. Wait for four hours to confirm the auto-renewal of the certificate since the certificate's validity period is set to four hours.
Verify a renewed certificate and key pair
After four hours have passed, you can check if the Valid From and Valid To dates of the certificate have been updated. The new certificate should be valid for the next four hours, and a new key pair for the renewed certificate should be generated within the Luna HSM partition. This process demonstrates that the certificate renews automatically every four hours.
The four-hour validity period is for testing purposes. In a production environment, it is recommended to set the validity periods as required by your organization's security policies.
Validate OCSP Integration
To confirm the proper functioning of OCSP after integrating with Luna HSM or Luna Cloud HSM service, follow these steps:
Generate a certificate request
To generate a certificate request, follow these steps:
Log in to the OCSPCL machine.
Create a certificate request using the following recommended template structure. You may use different cryptographic service providers.
[Version]
Signature = "$Windows NT$"
[NewRequest]
Subject = "C=IN,CN=OCSPCL"
HashAlgorithm = SHA256
KeyAlgorithm = RSA
KeyLength = 2048
ProviderName = "<Provider_to_be_used>"
KeyUsage = 0xf0
MachineKeySet = True
RequestType = PKCS10
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
[Extensions]
1.3.6.1.5.5.7.48.1.5 = Empty
Save the template as a file named test.inf, ensuring the ProviderName variable is enclosed in quotation marks.
Open a command prompt window and execute the following command:
certreq –new test.inf test.req
This command generates a certificate request named test.req.
Execute the following command in the command prompt:
certreq –submit –attrib "CertificateTemplate:WebServer" test.req
A popup window appears, asking you to choose the appropriate CA to use. Select the OCSPCA entry and click OK.
Save the certificate file and click OK. After a brief pause, a message Certificate Successfully Generated appears on the command prompt, and a certificate file is generated.
Verify the certificate's origin
To verify the certificate's origin, follow these steps:
Log on to OCSPCA and go to the Certification Authority tool by navigating to Start -> Administrative Tools -> Certification Authority.
In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, right-click on the Revoked Certificates folder, point to All Tasks, and click Publish.
Select New CRL and click OK.
Open the Certification Authority snap-in and right-click on the CA. Click Properties.
On the Extensions tab, verify that the extension is set to CRL Distribution Point (CDP) in the drop-down menu. Select any listed CRL distribution points, click Remove, and click OK.
Click Apply and a dialog will appear, prompting you to restart the service.
Click OK and wait for the service restart.
Verify that clients can still obtain revocation data. Execute the following on OCSPCL:
certutil -url test.cer
The URL Retrieval Tool dialog will appear. Select the CRLs (From CDP) radio button and then click Retrieve.
Select the OCSP (From AIA) radio button and click Retrieve. Check the list for an OCSP entry with the web address of the OCSP server. If everything is functioning properly, you'll see the word Verified in the first column of the list.
Select the Certs (from AIA) radio button and click Retrieve. One or two entries should be listed, with Verified next to them.
If Certificate Authority Web Enrollment is not installed on the CA, you might see an entry with AIA displayed as Failed in the Certs (from AIA) section. However, as long as at least one entry in the Certs (from AIA) section is marked as Verified, it indicates a successful setup with no issues to be concerned about.
Verify OCSP integration
This procedure helps you verify that the OCSP service is operating without errors following integration with Luna HSM or Luna Cloud HSM service. Ensure you check for the specific section in the output to confirm that the OCSP service is returning a Good certificate status. Follow these steps:
Open a command prompt and execute the following command:
certutil -verify test.cer > test.txt
After the command has completed execution, open the test.txt file and confirm that the output is structured as follows:
Issuer:
CN=Integration-OCSPSERV-CA
DC=Integration
DC=com
Subject:
CN=OCSPCL
C=IN
Cert Serial Number: 611362e4000000000003
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 17 Minutes, 42 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 17 Minutes, 42 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=Integration-OCSPSERV-CA, DC=Integration, DC=com
NotBefore: 5/23/2013 3:55 PM
NotAfter: 5/23/2015 3:55 PM
Subject: CN=OCSPCL, C=IN
Serial: 611362e4000000000003
Template: WebServer
f0 e3 6b 9f f4 59 a6 64 18 f4 6f f6 a1 90 52 5b a3 3a 40 8c
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 02:
Issuer: CN=Integration-OCSPSERV-CA, DC=Integration, DC=com
c1 32 12 a5 2f 82 d9 69 06 c0 28 1c 75 9d b1 5b 4c c5 4f 6d
Delta CRL 02:
Issuer: CN=Integration-OCSPSERV-CA, DC=Integration, DC=com
b1 63 03 a3 b8 d0 c5 41 7c d9 2c 3f ae 87 b4 a3 27 bd e7 73
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=Integration-OCSPSERV-CA, DC=Integration, DC=com
NotBefore: 5/23/2013 3:30 PM
NotAfter: 5/23/2018 3:40 PM
Subject: CN=Integration-OCSPSERV-CA, DC=Integration, DC=com
Serial: 6236c444f91af2a04fafdd311517307a
c3 3b 1c 6a 7f 07 3d f9 63 2a d1 fd 62 ca eb 16 e5 04 0a d3
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
e9 a1 9d 87 ea 5f 8b 9f b1 cc 2d d5 3a 55 f2 d1 12 14 b8 a2
Full chain:
e5 79 bc 47 e8 b8 05 11 fa e4 0d 47 a8 3e 73 99 3d df cf 4f
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
Ensure that the following components are present in the output:
Verified Issuance Policies: None
Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
These commands confirm the proper functioning of the OCSP server without any issues. The critical element to focus on is the Leaf certificate revocation check passed line, which indicates that the OCSP service is providing a Good certificate status. If the log generated by the verify command lacks this specific section or displays errors, we recommend restarting both the OCSP server and the client machine. Afterward, rerun the verify command on the certificate file for further assessment.
Troubleshooting
Resolve issues with online responder and certificate configuration, such as bad signing certificates, AIA errors, unrecognized certificate authorities, and provider-specific errors.
Bad signing certificate on array controller
Problem: The Online Responder reports a Bad signing certificate on array controller error.
Possible Reason: This error occurs when the Online Responder client cannot locate the CA certificate.
Solution: Verify if you have correctly followed the steps outlined in the Create revocation configuration section. Make sure the CA is properly configured, and a valid CA certificate for OCSP Signing exists.
Failed entry in certutil –url output for Certs (from AIA)
Problem: When running certutil –url <certnamehere.cer> and choosing Certs (from AIA), you encounter an entry marked as Failed.
Possible Reason: This error appears when the Certificate Authority Web Enrollment is not installed on the CA.
Solution: Install the Certificate Authority Web Enrollment on the CA machine. Note that an AIA failure does not negatively impact the OCSP setup as long as both items in Certs (from AIA) do not fail.
Unrecognized/untrusted CA
Problem: Newly generated certificates from the CA are reported as untrusted.
Possible Reason: This error occurs when the CA has not been added to the Trusted Root Certification Authorities certificate store.
Solution: Double-click the newly generated certificate. Under the General tab, click Install Certificate.... On the first screen, click Next, select the radio button next to Place all certificates in the following store, and click Browse. In the Select Certificate Store window, select Trusted Root Certification Authorities and click OK. After the window disappears, click Next, and on the next window, click Finish.
"Invalid Provider Specified" error when using certreq –new command
Problem: Running the certreq –new <.req file here> command results in an Invalid Provider Specified error.
Possible Reason: This error appears when the Cryptographic Service Providers (CSPs) are not correctly installed and set up on the client machine.
Solution: Ensure that the SafeNet Luna CSP or CNG providers are correctly installed and configured (you can use the CSP Install Wizard and CNG Configuration Wizard under the Luna HSM Installation folder). Alternatively, you can use Microsoft Cryptographic Service Provider or any other registered service provider on the client machine.
