Thứ Năm, 10 tháng 9, 2015

[AD] Configuration OCSP for AD

1.    CREATE OCSP

Reference https://mbandco.wordpress.com/2013/05/15/windows-2012-pki-part-4-ocsp/
In this blog I will discuss the installation and configuration of OCSP.
OCSP stands for Online Certificate Status Protocol and is first described in RFC 2560. OCSP is designed for the client (or application) to check the CRL. The disadvantage is that the entire CRL is then downloaded by the client. This is not always desirable. OCSP is used by the client to query the CRL. The client send a request to OCSP server. The OCSP server checks the CRL and send a response status back to the client. The response can be:

  • GOOD: The certificate is valid;
  • REVOKED: The certificate is revoked;
  • UNKNOWN: It is an unknown certificate.
The OCSP also returns the expiration date of the certificate. Based on the returned information the client can take the appropriate action.

Preparation

Before you can install OCSP will have to prepare a number of things:

  •  You need A IIS server. In this blog I will use my Sub CA, which already has an IIS on it.
  •  The CA must have a OCSP certificate template
  •  The URL of the OCSP should be included in all CAs AIA extensions.

AIA extension

We start by entering the OCSP information into the AIA extension.

  • Open the Certification Authority Console and select the CA server
  • Right-click, properties
  • Select Extensions
  • Under Select Extension choose AIA
  • Select: Http://<yourserver>/cdp/ <CaName>.crt
  • Select: Include in the online status protocol OCSP extension
  • Restart the service

Template

In preparation we just have to prepare for OCSP certificate template. This is our second step.

  • Open the Certification Authority
  • Select Certificate Templates
  • Right-click, Manage

  • Select OCSP Response Signing, Action, Duplicate Template
             Select General and specify the template name


  • Select Security
  • Add the computer or computers on which the OCSP service will be installed.
  • Give the OCSP computer(s) Read and Enroll right.


Now close the Template Manager and add the template to the list of Certificate Templates


In Addition I Create new Template dupplicate from WebServer Template with name “AdditionIT Webserver”( or can using Webserver Template)
Config for this template is same with OCSP Response Signing
-       Security Tab Add DC Computer with role is “Enroll”

 Installation
We will now add the OCSP role
select AD CS



Scroll to Roles and Features
Under Tasks, Add Roles and Features


Press Next
Press Next
Add the Online Responder
Press Add Features


Press Next
Press Next and then Install.
If the setup is finished the OCSP role is installed.

Configuration


  • startup the OCSP console through, Tools, Online Responder Management
  • Select Revocation Configuration
  • Add Revocation Configuration
  • Press Next
  • Give the configuration a name and press Next
  • Choose “Select a certificate for an Existing enterprise CA”
  • Press Next
  • Press Browse and select The Sub CA
  • Press Next
We just made ​​a template for OCSP. This template will we use to create a certificate for OCSP.


Press Next
Press Finish
OCSP is configured and running.
If have error “ocsp bad signing certificate on array controller” try some way:
-       Try to reinstall ocsp
-       Go back to the Revocation Configuration pane and right-click the revocation configuration you created (in this case Test) and then click Edit Properties.
-       Run command for windows server 2003
Certutl –v –setreg policy\EnableRequestExtensionList 1.3.6.1.5.5.7.48.1.5
-        A Properties for Revocation Configuration: Test pane opens. Three tabs are available. Click the Signing tab.
-        Uncheck the Do not prompt for credentials for cryptographic operations check box and click OK.

At step config AIA in my case I config as http://<ServerDNSName>/ocsp
Config for .crt file
At step config AIA in my case I config as http://<ServerDNSName>/CertEnroll/[yourfilecrt].crt
-       Remember select checkbox “Include in the AIA extension of issued certificates”
 2.    TEST

reference http://windowsitpro.com/article/security/online-certificate-status-protocol-ocsp-in-windows-server-2008-and-vista--103523
Now I'll create a new website in IIS to test the Online Responder using Internet Explorer.

1.       Open Internet Information Services Manager from Start, Administrative Tools.
2.      Click your server in the Connections pane, make sure Features View is selected in the central pane, and double-click Server Certificates.
3.      Select Create Domain Certificate under Actions in the right pane.
4.      In the Common Name box, enter the Fully Qualified Domain Name (FQDN) of the web server (in this case, the same machine as the CA, windc1.ad.contoso.com) and enter information for the rest of the fields as appropriate. Click Next to continue.
5.       Click Select to the right of Select Online Certificate Authority, choose your CA from the list and click OK.
6.      Under Friendly name, enter the FQDN of the server again and click Finish.
7.       Right click your server under Connections and select Add Web Site from the menu.
8.      Name the site TEST and set the physical path to c:\inetpub\wwwroot. Change the binding type to HTTPS and select the SSL certificate you just created from the drop-down menu, as shown in Figure 8. Click OK to continue.
9.     
Figure 8.
Before I try to access my new site using a secure channel, I'll check that the certificate issued by the CA contains the URL for the Online Responder.

1.       In the Certificates MMC, find the new certificate generated for IIS under Certificates (Local computer), Personal, Certificates.
2.      Right-click the certificate and select All Tasks, Export.
3.      Follow through the export wizard, leaving all the default options, and save the certificate as certificate.cer to a convenient location.
4.      Open a command prompt in the directory where you saved the exported certificate and launch the URL Retrieval Tool by typing
certutil –url certificate.cer
5.       In the Retrieve section of the tool in the bottom right corner, select OCSP (from AIA) and click Retrieve. If the certificate contains a URL for the OCSP Responder, it should display as Verified, as shown in Figure 9.
    
Figure 9.
7.        
Now I'll use Internet Explorer to access the TEST website and check the CryptoAPI logs to see if OCSP is used to successfully provide revocation data about the certificate.

1.       Type eventvwr into Start Search on the Start menu and press Enter.
2.      In the left pane, expand Applications and Services Logs, Microsoft, Windows, CAPI2. Right-click Operational under CAPI2 and select Enable Log from the menu.
3.      Open Internet Explorer and type https://windc1.ad.contoso.com/ in the address bar.
4.      Right click Operational in Event Viewer and select Refresh from the menu. In the central pane, look for Event ID 90&emdash;X509 Objects. Double-click the event and, on the Details tab under UserData, you should be able to find information about the OCSP response, as shown in Figure 10.


Figure 10

Figure 10 shows that OCSP has determined our certificate is OK (OCSP_BASIC_GOOD_CERT_STATUS), and information about when this data was generated and the next time it will be updated.5.        

OCSP Limitations


OCSP support from all the major public CAs allowed certificate revocation checking to be enabled in Internet Explorer for the first time in Windows Vista, providing a greater level of trust when surfing the web. While OCSP doesn't offer a solution for those working offline to check certificate revocation status, it enables checking in situations where slow connections may have ruled out certificate revocation checking altogether in the past. Online Responders, while only benefiting smaller organizations in specific scenarios, can help large PKIs scale out and make them more responsive.
3.       Test verify from clien
Goto CA -> Issued Certificates-> right click on cert-> revoke certificate
Goto CA -> right click on “revoked certificates”-> all task ->publish
Restart DC is need
From client
-          Request new ocsp request (using PKI)
Dim store As New X509Store(StoreName.My)
store.Open(OpenFlags.[ReadOnly])

Dim certificates As New X509Certificate2Collection()
certificates.Import(txtFile.Text, "Niteco2015", X509KeyStorageFlags.PersistKeySet)

'Close certificate store
store.Close()
'Retrieve selected certificate
If certificates.Count = 0 Then
'the user has caceled shoosing certificate
   Return
End If

Dim request As New OCSPRequest(certificate)
          Dim response As OCSPResponse = request.SendRequest()
          If response.Responses(0).CertStatus = CertificateStatus.Revoked Then
            Dim r = response.Responses(0).RevocationInfo.RevocationDate

          End If
Người đăng: vào lúc

Không có nhận xét nào:

Đăng nhận xét

Đăng ký: Đăng Nhận xét (Atom)