Microsoft OCSP

1Set up Luna HSM

2Set up Microsoft OCSP

1Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.

2Create a partition that will be later on used by Microsoft OCSP.

3Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.

4Initialize Crypto Officer and Crypto User roles for the registered partition.

5Run the following command to verify that the partition has been successfully registered and configured:

C:\Program Files\SafeNet\LunaClient>lunacm.exe

Upon successful execution, you should observe an output similar to the example provided below:

lunacm.exe (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved. 
Available HSMs:
Slot Id ->                           0
Label ->                             OCSP
Serial Number ->                     1213475834492
Model ->                             LunaSA 7.3.0
Firmware Version ->                  7.3.0
Configuration ->                     Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description ->                  Net Token Slot

Note

Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.

Note

To ensure the correct configuration of a PED-based Luna HSM, make sure that the ProtectedAuthenticationPathFlagStatus is set to 1 within the Misc section of the Chrystoki.conf file.

1Open the configuration file for your Luna HSM.

2Look for the [Misc] section within the configuration file.

3Add or modify the following setting within the [Misc] section:

RSAKeyGenMechRemap=1

This setting instructs the Luna HSM to redirect older key generation mechanisms to the newly approved mechanism when the HSM is operating in FIPS mode.

1Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means

2Extract the .zip file into a directory on your client workstation.

3Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.

cvclient-min.zip

4Run the setenv script to generate a new configuration file with the necessary information for the Luna Cloud HSM service. Right-click setenv.cmd and select Run as Administrator.

Note

To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.

5Run the LunaCM utility and verify that the Cloud HSM service is listed.

1Prepare the Machines:

• OCSPCA: This Windows Server machine will serve as a Domain Controller and Certificate Authority (CA).

• OCSPSERV: This Windows Server machine will function as the OCSP Server.

• OCSPCL: This Windows machine will be used as a client to submit enrollment requests to the CA.

2Install Microsoft OCSP on the OCSPSERV machine.

3Configure OCSP on the OCSPSERV machine.

1Prepare the Machines:

• OCSPDC: Set up a Windows Server machine as the Domain Controller.

• OCSPSERV: This Windows Server machine will be used as both the Certificate Authority (CA) and OCSP Server.

• OCSPCL: Prepare a Windows machine to act as a client for submitting enrollment requests to the CA.

2Install Microsoft OCSP on the OCSPSERV machine.

3Configure OCSP on the OCSPSERV machine.

1Navigate to the KSP Installation Directory: Begin by locating the installation directory for the SafeNet Key Storage Provider (KSP).

2Execute KspConfig.exe: Execute the KspConfig.exe tool, which can typically be found in the KSP installation directory.

3Regist the Security Library: In the user interface, double-click Register Or View Security Library, located on the left side of the window. Select Browse to locate the cryptoki.dll file. You can find this file in the Luna Client installation folder or within the Luna Cloud HSM service client package. Once selected, click Register. A confirmation message will appear on the screen upon successful registration. Click OK.

4Register HSM Slots: Double-click Register HSM Slots on the left side of the window. Register a slot for the Administrator user by following these steps:

• Open the Register for User drop-down menu and select ADMINISTRATOR.

• In the Domain drop-down menu, choose your domain.

• Select the relevant service or partition from the Available Slots drop-down menu.

• Enter the slot password.

• Click Register Slot.

• Upon successful registration, a confirmation message will appear. Click OK to proceed.

5Register for NT_AUTHORITY\SYSTEM User: Register the same service or partition for the NT_AUTHORITY\SYSTEM user.

1Log in as Domain Administrator: Begin by logging in to the OCSP Server with your domain administrator credentials.

2Run the Registration Command: Execute the registration command, register.exe, to register Luna CSP:

C:\Program Files\SafeNet\LunaClient\CSP>register.exe

You will be prompted to provide the partition password.

3Verify Luna CSP: To verify the presence of Luna CSP, list the Luna Cryptographic Services for Microsoft Windows by running the following command:

C:\Program Files\SafeNet\LunaClient\CSP>register.exe /l

4Restart the Server: To apply the changes made during registration, it's essential to restart the server.

Note

If you intend to utilize CSP-generated OCSP signing keys, the registration of the SafeNet CSP is a mandatory step. Additionally, for configurations involving Microsoft OCSP on multiple systems, make sure to configure and register the SafeNet CSP on both the Certificate Authority and OCSP server systems. This ensures consistent and secure operation across all systems.

1Log in to OCSPCA as a Domain Administrator.

2Access the Server Manager by selecting Administrative Tools from the Start menu.

3In the Server Manager Dashboard, click Manage, and then select Add Roles and Features.

4In the Add Roles and Features Wizard, click Next.

5On the Installation Type page, select the Role-based or feature-based installation option and click Next.

6Choose a server from the server pool on the Server Selection screen and click Next.

7From the Roles list, select Active Directory Certificate Services and click Add Features. Then, click Next.

8On the Role Services page, select the Certificate Authority and Certificate Authority Web Enrollment check boxes. Click Add Features and Next.

9On the Features page, click Next.

10On the ADCS page, click Next.

11Check the box that says Restart the destination server automatically if required. You'll see a confirmation message. Click Yes to proceed.

12On the confirmation page, click on the Install button. Allow the installation process to finish.

1If you are proceeding from the previous step, select Configure Active Directory Certificate Server on the destination server. Alternatively, you can access the ADCS Configuration Wizard by clicking the Notification Flag and configuring the server role.

2On the Credentials page, click Next.

3On the Role Services page, select the Certificate Authority and Certificate Authority Web Enrollment check boxes. Click Next.

4On the Setup Type page, select Enterprise CA. Click Next.

5On the CA Type page, select the Root CA radio button and click Next.

6On the Private Key page, select the Create a new private key check box. Click Next.

In the Cryptography for CA window, select and configure the provider for the CA. Ensure the availability of the following cryptographic providers for use:

RSA#SafeNet Key Storage Provider
DSA#SafeNet Key Storage Provider
ECDSA_P256#SafeNet Key Storage Provider
ECDSA_P384#SafeNet Key Storage Provider
ECDSA_P521#SafeNet Key Storage Provider

Note

If you don't see these objects listed under the Cryptographic Provider drop-down menu, it's essential to verify your KSP/CSP Registration.

Note

Make sure to use the sha hashing algorithm for secure configuration.

7After selecting and setting up the Cryptographic Provider, click Next.

8On the Configure CA Name page, enter the CA Name or accept the default CA name. Click Next.

9On the Validity Period page, specify the certificate validity period. Click Next.

10Specify the database location or accept the default location on the Certificate Database page and click Next.

11Ensure the suitability of the CA configuration before proceeding. Click Configure and patiently await the confirmation message. If all settings are correct, the Configuration succeeded message will be displayed upon the successful completion of the configuration process.

12Click Close to exit the ADCS Configuration wizard.

1Log on to OCSPSERV as a domain administrator.

2Open the Start menu and select Administrative Tools, then click Server Manager.

3Within the Server Manager Dashboard, click Manage in the right pane, and then select Add Roles and Features.

4In the Add Roles and Features Wizard, click Next to initiate the installation process.

5On the Installation Type page, choose the Role-based or feature-based installation option, and click Next.

6On the Server Selection screen, tick the Select a server from the server pool box and choose the listed server. Then, click Next.

7In the Roles list, check the Active Directory Certificate Services box. This will prompt the Add features dialog. Click Add Features to add the necessary features for the server role. Click Next.

8Proceed to the Features page and click Next.

9On the ADCS page, click Next.

10On the Role Services page, uncheck the Certification Authority box and select the Online Responder box. This will open the Add Features dialog. Click Add Features to add the required components for the server role. Click Next.

11Continue to the Features page and click Next.

12Select the Restart the destination server automatically if required check box. A confirmation message will appear. Click Yes.

13On the Confirmation page, click Install.

14Click Configure Active Directory Certificate Server on the destination server. This action opens the ADCS Configuration Wizard. Alternatively, you can access the ADCS Configuration Wizard by clicking the Notification Flag.

15On the Credentials page, click Next.

16On the Role Services page, select the Online Responder check box and click Next.

17On the Confirmation page, click Configure and wait for the confirmation message. You'll receive a message upon successful configuration.

18On the Results page, click Close to exit the ADCS Configuration Wizard.

1Log in to OCSPCA as a domain administrator.

2Click Search, type MMC, and press Enter to open the console.

3In the MMC console, select File and choose Add/Remove Snap-in.

4In the Add or Remove Snap-Ins dialog box, locate and select the Certificate Templates snap-in from the Available snap-ins section.

5Click Add, and then click OK.

6Within the Console Root, expand the Certificate Templates snap-in to view a list of all the certificate templates that the CA is capable of issuing.

7Scroll down the list of certificate templates until you find the OCSP Response Signing template. Right-click the template and choose Properties to open the Template Properties dialog.

8In the Template Properties dialog, switch to the General tab and select the Publish Certificate in the Active Directory check box.

9Specify the desired Validity Period and Renewal Period. Note that, for testing purposes, this guide assumes a validity period of four hours and a renewal period of one hour for auto-renewal.

10Switch to the Security tab and click Add. This opens the Select User, Computers, Service Accounts, or Groups dialog.

11Enter the name of the machine hosting the Online Responder service. In this case, the machine name is OCSPSERV.

12Click OK, and another dialog will appear as the system attempts to locate the machine.

13Click Object Types, select the Computers check box, and click OK.

14Re-enter OCSPSERV in the Select User, Computers, Service Accounts, or Groups dialog and click OK. The machine hosting the Online Responder will be added to the Group and user names area under the Security tab.

15Click OCSPSERV in the Group and user names area.

16Select the Read, Enroll, and Autoenroll check boxes.

17Ensure that the Read, Write, Enroll, and Autoenroll check boxes are also selected for both Domain Admins and Enterprise Admins. Click Apply.

18Switch to the Cryptography tab and select the Requests must use one of the following providers radio button. The dialog below the radio button will become active.

19Choose SafeNet Key Storage Provider from the available options.

20Click Apply and then OK to save your settings.

1Log in to OCSPCA as a domain administrator.

2Click the Search menu, type MMC, and press Enter to open the console.

3In the MMC console, select File and choose Add/Remove Snap-in.

4In the Add or Remove Snap-Ins dialog box, locate and select the Certificate Templates snap-in from the Available snap-ins section.

5Click Add, and then click OK.

6Within the Console Root, expand the Certificate Templates snap-in to view a list of all the certificate templates that the CA is capable of issuing.

7Scroll down the list of certificate templates until you find the OCSP Response Signing template. Right-click the OCSP Response Signing Template and select Duplicate Template.

8In the pop-up dialog box, click the Compatibility tab.

9In Compatibility Settings, under Certificate Authority, select Windows Server 2003. This action will prmpt the Resulting Changes to appear. Confirm your selection by clicking OK.

10Under Certificate recipient, select Windows XP / Server 2003. The Resulting Changes window will appear. Click OK.

11Click the General tab. Enter the name of the template in Template display name.

12Select the Publish Certificate in the Active Directory check box.

13Specify the desired Validity Period and Renewal Period. For testing purposes, this guide assumes a validity period of four hours and a renewal period of one hour for auto-renewal.

14Click Security and select Add. This opens the Select User, Computers, Service Accounts, or Groups dialog.

15Enter the name of the machine (OCSPSERV) hosting the Online Responder service.

16Click Object Types, select the Computers check box, and click OK.

17Re-enter OCSPSERV in the Select User, Computers, Service Accounts, or Groups dialog and click OK.

18Click OCSPSERV in the Group and user names area.

19Select the Read, Enroll, and Autoenroll check boxes.

20Ensure that the Read, Write, Enroll, and Autoenroll check boxes are selected for both Domain Admins and Enterprise Admins. Click Apply.

21Click the Cryptography tab and select the Requests must use one of the following providers radio button. The dialog below the radio button will become active.

22Choose Luna Cryptographic Services for Microsoft Windows from the available options.

23Click Apply and then OK.

1Sign in to OCSPCA as a domain administrator.

2From the Start menu, navigate to Administrative Tools, and click Certification Authority.

3In the console tree on the left, click the name of your Certification Authority (CA).

4Open the Action menu and select Properties.

5Click the Security tab and then select Add. This action will open the Select User, Computers, Service Accounts, or Groups dialog.

6Enter the name of the machine hosting the Online Responder service, such as OCSPSERV.

7Click OK. If the system cannot locate the machine, another dialog will appear.

8Click Object Types, select the Computers checkbox, and click OK.

9Enter OCSPSERV once again in the Select User, Computers, Service Accounts or Groups dialog and click OK. The machine hosting the Online Responder will be added to the Group and user names section under the Security tab.

10Click OCSPSERV in the Group and user names area. In the Permissions section, select the Request Certificate checkbox.

11Ensure that the Issue and Manage Certificates, Manage CA, and Request Certificates checkboxes are selected for Domain Admins, Enterprise Admins, and Administrators.

12Move to the Extensions tab. In the Select extension list, click Authority Information Access (AIA).

13Click Add. In the Add Location dialog, type http://<computer_name_hosting_OCSP>/ocsp under Location.For example, if you are using OCSPSERV, the address would be http://OCSPSERV/ocsp.

14Click OK.

15Ensure that the recently added URL is highlighted.

16Select both Include in the AIA extension of issued certificates and Include in the online certificate status protocol (OCSP) extension checkboxes.

17Click Apply and confirm the restart of Active Directory Certificate Services by selecting Yes.

18After the services restart, click OK.

19In the Certification Authority snap-in's console tree, right-click Certificate Templates, and select New Certificate Templates to Issue.

20In the Enable Certificates Templates dialog, select the OCSP Response Signing template and any other previously configured certificate templates. Click OK.

21Open Certificate Templates in the Certification Authority to verify that the modified certificate templates are included in the list.

1Log in to OCSPSERV as a domain administrator.

2From the Start menu, go to Administrative Tools and select Services.

3Locate the Online Responder Service in the list of services.

4Right-click the Online Responder Service and choose Properties.

5In the dialog box, select the Log On tab.

6Under Log on as, choose the Local System Account radio button and enable the Allow services to interact with desktop checkbox.

7Click Apply and then OK.

8Return to the services window. Right-click the Online Responder Service and select Restart. Wait for the service to start again and then close the service window.

1Log in to OCSPSERV as a domain administrator.

2From the Start menu, select Administrative Tools and click Online Responder Management.

3In the left-hand pane, choose Revocation Configuration.

4In the right-hand pane, under Actions, click Add Revocation Configuration. A dialog window appears.

5In the Getting Started with Adding a Revocation Configuration section, click Next.

6In the Name the Revocation Configuration section, provide a name for the configuration (e.g., Test) and click Next.

7In the Select CA Certificate Location window, ensure the Select a certificate for an Existing enterprise CA radio button is selected and click Next.

8In the Choose CA Certificate section, select the Browse CA certificates published in Active Directory radio button and click Browse.

9In the Select Certification Authority dialog box, choose the CA authority (in this case OCSPCA) and click OK. Click Next.

10In the Select Signing Certificate window, accept the default setting Automatically select a signing certificate and check the Auto-enroll for OCSP signing certificate checkbox. Click Next.

11In the Revocation Provider window, click Finish. Once the wizard completes, the Revocation Configuration Status Box will display the Online Responder status as Bad Signing on Array Controller.

12To resolve this, click Revocation Configuration in the left-hand pane. The certificate will be visible in the right pane.

13Right-click the certificate and select Edit Properties.

14Click the Signing tab. Uncheck the Do not prompt for credentials for cryptographic operations box. Click OK.

15Return to the Online Responder Management tool. Open Actions and click Refresh.

16In the left-hand pane, click Online Responder: Computer Name and ensure that the Revocation Configuration Status Box shows Working.

1Log in to OCSPSERV as a domain administrator.

2Press the Windows key, type MMC, and press Enter to open the console.

3In the MMC console, go to File and select Add/Remove Snap-in...

4In the Add or Remove Snap-Ins dialog box, find the Certificate snap-in under the Available snap-ins section and select it.

5Click Add, choose Service Account, and click Next.

6Select Local Computer, and click Next.

7Under Certificate Snap-in, click on Online Responder Services in Service Account and click Finish.

8Click OK and expand the Online Responder Services tree.

9Expand OCSPSvc\CertificateName (for instance, OCSPSvc_test_) and then double-click on Certificates.

10A certificate will be presented. Double-click the certificate to view its properties.

11Click the Details tab and verify the Valid From and Valid To dates of the certificate, which should indicate the certificate expires within the next four hours.

1Log in to the OCSPCL machine.

2Create a certificate request using the following recommended template structure. You may use different cryptographic service providers.

[Version]
Signature = "$Windows NT$"
[NewRequest]
Subject = "C=IN,CN=OCSPCL"
HashAlgorithm = SHA256
KeyAlgorithm = RSA
KeyLength = 2048
ProviderName = "<Provider_to_be_used>"
KeyUsage = 0xf0
MachineKeySet = True
RequestType = PKCS10
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
[Extensions]
1.3.6.1.5.5.7.48.1.5 = Empty

3Save the template as a file named test.inf, ensuring the ProviderName variable is enclosed in quotation marks.

4Open a command prompt window and execute the following command:

certreq –new test.inf test.req

This command generates a certificate request named test.req.

5Execute the following command in the command prompt:

certreq –submit –attrib "CertificateTemplate:WebServer" test.req

6A popup window appears, asking you to choose the appropriate CA to use. Select the OCSPCA entry and click OK.

7Save the certificate file and click OK. After a brief pause, a message Certificate Successfully Generated appears on the command prompt, and a certificate file is generated.

1Log on to OCSPCA and go to the Certification Authority tool by navigating to Start -> Administrative Tools -> Certification Authority.

2In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, right-click on the Revoked Certificates folder, point to All Tasks, and click Publish.

3Select New CRL and click OK.

4Open the Certification Authority snap-in and right-click on the CA. Click Properties.

5On the Extensions tab, verify that the extension is set to CRL Distribution Point (CDP) in the drop-down menu. Select any listed CRL distribution points, click Remove, and click OK.

6Click Apply and a dialog will appear, prompting you to restart the service.

7Click OK and wait for the service restart.

8Verify that clients can still obtain revocation data. Execute the following on OCSPCL:

certutil -url test.cer 

9The URL Retrieval Tool dialog will appear. Select the CRLs (From CDP) radio button and then click Retrieve.

10Select the OCSP (From AIA) radio button and click Retrieve. Check the list for an OCSP entry with the web address of the OCSP server. If everything is functioning properly, you'll see the word Verified in the first column of the list.

11Select the Certs (from AIA) radio button and click Retrieve. One or two entries should be listed, with Verified next to them.

Note

If Certificate Authority Web Enrollment is not installed on the CA, you might see an entry with AIA displayed as Failed in the Certs (from AIA) section. However, as long as at least one entry in the Certs (from AIA) section is marked as Verified, it indicates a successful setup with no issues to be concerned about.

1Open a command prompt and execute the following command:

certutil -verify test.cer > test.txt

2After the command has completed execution, open the test.txt file and confirm that the output is structured as follows:

Issuer:
    CN=Integration-OCSPSERV-CA
    DC=Integration
    DC=com
Subject:
    CN=OCSPCL
    C=IN
Cert Serial Number: 611362e4000000000003

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 17 Minutes, 42 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 17 Minutes, 42 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=Integration-OCSPSERV-CA, DC=Integration, DC=com
  NotBefore: 5/23/2013 3:55 PM
  NotAfter: 5/23/2015 3:55 PM
  Subject: CN=OCSPCL, C=IN
  Serial: 611362e4000000000003
  Template: WebServer
  f0 e3 6b 9f f4 59 a6 64 18 f4 6f f6 a1 90 52 5b a3 3a 40 8c
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 02:
    Issuer: CN=Integration-OCSPSERV-CA, DC=Integration, DC=com
    c1 32 12 a5 2f 82 d9 69 06 c0 28 1c 75 9d b1 5b 4c c5 4f 6d
    Delta CRL 02:
    Issuer: CN=Integration-OCSPSERV-CA, DC=Integration, DC=com
    b1 63 03 a3 b8 d0 c5 41 7c d9 2c 3f ae 87 b4 a3 27 bd e7 73
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=Integration-OCSPSERV-CA, DC=Integration, DC=com
  NotBefore: 5/23/2013 3:30 PM
  NotAfter: 5/23/2018 3:40 PM
  Subject: CN=Integration-OCSPSERV-CA, DC=Integration, DC=com
  Serial: 6236c444f91af2a04fafdd311517307a
  c3 3b 1c 6a 7f 07 3d f9 63 2a d1 fd 62 ca eb 16 e5 04 0a d3
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  e9 a1 9d 87 ea 5f 8b 9f b1 cc 2d d5 3a 55 f2 d1 12 14 b8 a2
Full chain:
  e5 79 bc 47 e8 b8 05 11 fa e4 0d 47 a8 3e 73 99 3d df cf 4f
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
    CertUtil: -verify command completed successfully.

3Ensure that the following components are present in the output:

Verified Issuance Policies: None
Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

These commands confirm the proper functioning of the OCSP server without any issues. The critical element to focus on is the Leaf certificate revocation check passed line, which indicates that the OCSP service is providing a Good certificate status. If the log generated by the verify command lacks this specific section or displays errors, we recommend restarting both the OCSP server and the client machine. Afterward, rerun the verify command on the certificate file for further assessment.