Validating OCSP integration
To validate that OCSP is operating properly after integration with a ProtectServer 3 HSM, complete the steps described below.
Generate a certificate request
You must first generate a certificate request.
To generate a certificate request
-
Log on to the OCSPCL machine and generate a certificate request.
Thales recommends using the template structure shown below (Try to use different vendors’ cryptographic service providers).
-
Save the above template as test.inf file. Ensure that the Provider Name variable is provided with the quotation marks around it.
-
Open the command prompt window and execute the following command:
A certificate request called test.req will be generated.
-
Execute the following command in command prompt:
A window displays confirming which CA to use. Select the OCSPCA entry and select OK.
-
A dialog displays to save the certificate to a file.
-
Save the certificate file and select OK. After a short pause, a message “Certificate Successfully Generated” displays on the command prompt and a certificate file is generated.
Test the certificate’s origin
After generating a certificate request, test the certificate's origin.
To test the certificate’s origin
-
Log on to OCSPCA and go to the Certification Authority tool by navigating to Start > Administrative Tools > Certification Authority.
-
In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, right-click on the Revoked Certificates folder, point to All Tasks, and select Publish.
-
Select New CRL and select OK.
-
Open the Certification Authority snap-in and right-click on the CA. Select Properties.
-
On the Extensions tab, verify that the extension is set to CRL Distribution Point (CDP) in the drop-down menu. Select any listed CRL distribution points, select Remove, and select OK.
-
Select Apply. A dialog displays stating that you need to restart the service.
-
Select OK and wait for the service restart.
-
Verify that clients can still obtain revocation data. Execute the following on OCSPCL:
-
The URL Retrieval Tool dialog displays. Select the CRLs (From CDP) radio button and select Retrieve.
-
Select the OCSP (From AIA) radio button and select Retrieve. The list should contain an OCSP entry showing the web address of the OCSP server. If it is working correctly, the word Verified displays in the first column in the list.
-
Select the Certs (from AIA) radio button and select Retrieve. One or two entries should be listed, with Verified next to them.
Note
If Certificate Authority Web Enrollment is not installed on the CA, an entry with AIA may display as Failed. However, as long as one of the entries in the Certs (from AIA) section reads Verified there should be no problems with the set-up.
Verify the OCSP integration
After completing the steps above, verify the OCSP integration.
To verify the OCSP integration
-
Open a command prompt and execute:
-
When the above command has been completed, open the test.txt file. The file should contain the information like this:
-
Ensure that the above output includes the following:
These commands demonstrate that the OCSP server is operating correctly without any errors. The most important component of the above example is the Leaf certificate revocation check passed line as this demonstrates that the OCSP service is returning the certificate status as Good.
If the log generated by the verify command does not include the above section (or similar) and has errors in the output, we recommend you restart the OCSP server and client machine, and run the verify command again on the certificate file.