Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2013-08-24) Automated/Unattended Installation Of OCSP (Part 1)

Posted by Jorge on 2013-08-24

In W2K8R2 (although not tested, it will most likely also apply to higher OS versions) three methods exist to install the Online Certificate Status Protocol (OSCP). The three methods are:

  1. Through the Server Manager console by installing the ADCS role service called “Online Responder”
  2. Through the Server Manager command line “ServerManagerCMD.exe” utility by executing the command: ServerManagerCMD -install ADCS-Online-Cert
  3. Through the PowerShell CMDlet “Add-WindowsFeature” by executing the powershell command: Add-WindowsFeature ADCS-Online-Cert

Unfortunately there is no consistent behavior with all three methods. I have come to learn that only method [1] performs all tasks required in one go to get OCSP up and running. Method [2] and [3] install the binaries, but “forget” to execute the following remaining task:

  • Creation and configuration of the OCSP virtual directory (application)
  • Creation and configuration of the OCSP application pool (with Network Service as the user account)
  • Creation and configuration of the OCSP ISAPI filter
  • Configuration of the NTFS permissions on the physical path used by the virtual directory

Because of that, if you want to automate this, you need to perform the remaining tasks yourself. to complete the installation/configuration. The goal of these posts (serie) is to show you how to install and configure OCSP in Windows Server 2008 R2 in an unattended manner. So let’s get started.

To install the OCSP binaries execute the following commands. It will also install any required components:

# Installing The OCSP Binaries Import-Module ServerManager Add-WindowsFeature ADCS-Online-Cert


Figure 1: Installing The OCSP Binaries And Any Other Required Components

Next you need to issue a CERTUTIL command that will create and configure the  OCSP Virtual Directory (application), the OCSP application pool and the OCSP ISAPI filter. For that issue the following command:

# Installing/Configuring OCSP Virtual Directory # Installing/Configuring OCSP Application Pool # Installing/Configuring OCSP ISAPI filter & 'CERTUTIL' -VOCSPROOT


Figure 2: Installing/Configuring The OCSP Virtual Directory, The OCSP Application Pool And The OCSP ISAPI filter

Next you need to configure the correct NTFS permissions on the folder used by the OCSP virtual directory. For that issue the following command:

# Configuring The Permissions On The Physical Path Used By The OCSP Virtual Directory Import-Module WebAdministration $Ace = "NT AUTHORITY\IUSR","ReadAndExecute,Synchronize","ContainerInherit, ObjectInherit", "None", "Allow" $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $Ace $ocspFolder = (Get-Item "IIS:\Sites\Default Web Site\ocsp").PhysicalPath $aclOCSPFolder = Get-Acl $ocspFolder $aclOCSPFolder | FL $aclOCSPFolder.AddAccessRule($AccessRule) $aclOCSPFolder | Set-Acl $ocspFolder $aclOCSPFolder = Get-Acl $ocspFolder $aclOCSPFolder | FL


Figure 3: Configuring The NTFS Permissions On The Folder Used By The OCSP Virtual Directory

Next you need to configure the account on the OCSP Application Pool. For that issue the following command:

# Configuring The OCSP Application Pool # Import-Module WebAdministration Set-ItemProperty -Path "IIS:\AppPools\OCSPISAPIAppPool" -Name ProcessModel.IdentityType -value 2


Figure 4: Configuring The Account Used By The OCSP Application Pool

To finish it up and reset everything, execute the following commands:

# Resetting The OCSP Service And IIS Restart-Service OCSPSVC -Force IISRESET


Figure 5: Resetting OCSP And IIS

At this point OCSP has been installed and configured. However, for it to be functional and support (OCSP) client requests, you must configure OCSP with revocation information for specific CA. When configuring OCSP with revocation information through the GUI you must select a CA certificate and for that you have three options as shown in the picture below.


Figure 6: Specifying The CA To Service For Revocation Information Through Its Certificate

After that you must determine which certificate to use to sign revocation information before the response is sent to a client. You can configure every OCSP array member to automatically select a certificate based upon some certificate template or you must configure every OCSP array member with a certificate manually. This is shown in the picture below.

Option [1] –> with this option the OCSP will be automatically configured to retrieve a certificate based upon the specified certificate template from the specified CA. Renewals will also be automatic. This will apply to every array member.

Option [2] –> with this option, every OCSP array member individually must be configured manually with a certificate afterwards to be used by OCSP. Renewals will not be automatic and need to occur manually every time the certificate needs to be renewed. Again, this will apply to every array member.

Option [3] –> with this last option OCSP will use the CA certificate to sign responses


Figure 7: Specifying Which Certificate To Use To Sign Responses

Continued in part 2 “(2013-08-25) Automated/Unattended Installation Of OCSP (Part 2)




* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!



############### Jorge’s Quest For Knowledge #############

######### ########


One Response to “(2013-08-24) Automated/Unattended Installation Of OCSP (Part 1)”

  1. […] « (2013-08-24) Automated/Unattended Installation Of OCSP (Part 1) […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: