Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Microsoft Online Certificate Status Protocol (OCSP)

Creating a revocation configuration

search

Creating a revocation configuration

This section describes how to create a revocation configuration.

A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued by using a specific CA key. To create a revocation configuration, complete the steps described below.

Modify Online Responder service to use ProtectServer 3 HSMs

To use OCSP in conjunction with ProtectServer 3 HSMs, configure the Online Responder service to use the HSM to protect the OCSP signing keys.

To modify the Online Responder service to use ProtectServer 3 HSMs

  1. Log on to OCSPSERV as a domain administrator.

  2. From the Start menu select Administrative Tools and then select Services.

  3. Locate the Online Responder Service in the list of services.

  4. Right-click on the Online Responder Service and select Properties.

  5. In the dialog box select the Log on tab.

  6. Under Log on as, select the Local System Account radio button and then select the Allow services to interact with desktop check box.

  7. Select Apply and then OK.

  8. Return to the services window. Right-click the Online Responder Service and select Restart. Wait to start the service again. Close the service window.

Set up revocation configuration

Once the Online responder Service is configured to use the HSM to protect the OCSP singing keys, set up the certificate revocation configuration.

To set up the revocation configuration

  1. Log on to OCSPSERV as a domain administrator.

  2. From the Start menu, select Administrative Tools and then select Online Responder Management.

  3. In the left-hand pane select Revocation Configuration.

  4. In the right-hand pane, under Actions, select Add Revocation Configuration. A dialog window displays.

  5. On the Getting started with adding a revocation configuration section select Next.

  6. In the Name the Revocation Configuration section, enter a name for the configuration in the text box (for example, "Test"). Select Next.

  7. In the Select CA Certificate Location window, ensure that the Select a certificate for an Existing enterprise CA radio button is selected and select Next.

  8. In the Choose CA Certificate section, ensure that the Browse CA certificates published in Active Directory radio button is selected and then select Browse.

  9. In the Select Certification Authority dialog box, select the CA authority (in this case OCSPCA) and select OK. Select Next.

  10. In the Select Signing Certificate window, accept the default setting Automatically select a signing certificate and select the Auto-enroll for OCSP signing certificate check box. Select Next.

  11. In the Revocation Provider window, select Finish.

    Once the wizard completes, the Revocation Configuration Status Box displays the Online Responder status. The status should display Bad Signing on Array Controller.

  12. To correct this, select on Revocation Configuration in the left hand pane. The certificate displays in the right-pane.

  13. Right-click on the certificate and select Edit Properties.

  14. Select the Signing tab. Clear the Do not prompt for credentials for cryptographic operations check box. Select OK.

  15. Return to the Online Responder Management tool. Open Actions and select Refresh.

  16. In the left-hand pane select Online Responder: Computer Name and verify that the Revocation Configuration Status Box displays Working.

On this page