Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Microsoft Online Certificate Status Protocol (OCSP)

Configuring CA to issue OCSP response signing certificates

search
printsuggest an edit

Configuring CA to issue OCSP response signing certificates

This section describes how to configure the CA to support the Online Responder service.

To configure the CA to support the Online Responder service, configure the certificate templates and issuing properties for OCSP Response Signing Certificates.

Note

If you have installed the CA and OCSP on same machine then you need to complete this procedure on OCSPSERV to configure OCSP Response Signing Certificate.

copy link to clipboardTo configure certificate templates using SafeNet KSP

  1. Log on to OCSPCA as a domain administrator.

  2. Select Search, enter MMC, and press Enter to open the console.

  3. In the mmc console, select File and Add/Remove Snap-in….

  4. In the Add or Remove Snap-Ins dialog box, select the Certificate Templates snap-in (under the Available snap-ins section).

  5. Select Add and OK.

  6. Under Console Root, expand the Certificate Templates snap-in. The middle section lists all of the available certificate templates that CA can issue.

  7. Scroll down the list until you locate the OCSP Response Signing template. Right-click the template and select Properties. The Template properties dialog displays.

  8. Select the General tab and the Publish Certificate in the Active Directory check box.

  9. Set the Validity Period and Renewal period.

    Note

    For testing purpose, this guide assumes the Validity period and Renewal period for four hours and one hour for Auto Renewal.

  10. Select the Security tab and Add.

    The Select User, Computers, Service Accounts, or Groups dialog displays.

  11. Enter the name of the machine which is hosting the Online Responder service. In this case, the machine name is OCSPSERV.

  12. Select OK.

    The system should not be able to locate the machine, instead another dialog displays.

  13. Select Object Types, the Computers check box, and then OK.

  14. Re-enter OCSPSERV in the Select User, Computers, Service Accounts, or Groups dialog and select OK. The machine hosting the Online Responder will be added to the Group and user names area under the Security tab.

  15. Select on OCSPSERV in the Group and user names area.

  16. Select the Read, Enroll, and Autoenroll check boxes.

  17. Ensure that the Read, Write, Enroll and Autoenroll check boxes are selected for both Domain Admins and Enterprise Admins, and select Apply.

  18. Select the Cryptography tab. Select the Requests must use one of the following providers radio button. The dialog below the radio button activates.

  19. Select SafeNet Key Storage Provider.

  20. Select Apply and OK.

copy link to clipboardTo configure the CA to support the Online Responder service

  1. Log on to OCSPCA as a domain administrator.

  2. From the Start menu, select Administrative Tools and Certification Authority.

  3. In the console tree (left-hand section), select the CA name.

  4. Open the Action menu and select Properties.

  5. Select the Security tab and Add.

    The Select User, Computers, Service Accounts, or Groups dialog displays.

  6. Enter the name of the machine which is hosting the Online Responder service. In this case, the machine name is OCSPSERV.

  7. Select OK.

    The system should not be able to locate the machine, instead another dialog displays.

  8. Select Object Types, the Computers checkbox, and OK.

  9. Re-enter OCSPSERV in the Select User, Computers, Service Accounts or Groups dialog and select OK.

    The machine hosting the Online Responder will be added to the Group and user names area under the Security tab.

  10. Select OCSPSERV in the Group and user names area.

  11. In the Permissions area, select the Request Certificate check box.

  12. Ensure that the Issue and Manage Certificates, Manage CA, and Request Certificates check boxes are selected for Domain Admins, Enterprise Admins, and Administrators.

  13. Select Extensions > Authority Information Access (AIA).

  14. Select Add. In the Add Location dialog type under Location.

    http://<computer_name_hosting_OCSP>/ocsp.

    For example, the address when using OCSPSERV would be http://OCSPSERV/ocsp.

  15. Select OK.

  16. On the Extensions tab

    1. Ensure that the recently added URL is highlighted.

    2. Ensure that the Include in the AIA extension of issued certificates and Include in the online certificate status protocol (OCSP) extension check boxes are selected.

  17. Select Apply and Yes to restart the Active Directory Certificate Services.

  18. When the services restarts, select OK.

  19. In the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then select New Certificate Templates to Issue.

  20. In Enable Certificates Templates, select the OCSP Response Signing template, any other previously configured certificate templates, and then OK.

  21. Open Certificate Templates in the Certification Authority and verify that the modified certificate templates are included in the list.

On this page