(2013-08-24) Automated/Unattended Installation Of OCSP (Part 1)
Posted by Jorge on 2013-08-24
In W2K8R2 (although not tested, it will most likely also apply to higher OS versions) three methods exist to install the Online Certificate Status Protocol (OSCP). The three methods are:
- Through the Server Manager console by installing the ADCS role service called “Online Responder”
- Through the Server Manager command line “ServerManagerCMD.exe” utility by executing the command: ServerManagerCMD -install ADCS-Online-Cert
- Through the PowerShell CMDlet “Add-WindowsFeature” by executing the powershell command: Add-WindowsFeature ADCS-Online-Cert
Unfortunately there is no consistent behavior with all three methods. I have come to learn that only method  performs all tasks required in one go to get OCSP up and running. Method  and  install the binaries, but “forget” to execute the following remaining task:
- Creation and configuration of the OCSP virtual directory (application)
- Creation and configuration of the OCSP application pool (with Network Service as the user account)
- Creation and configuration of the OCSP ISAPI filter
- Configuration of the NTFS permissions on the physical path used by the virtual directory
Because of that, if you want to automate this, you need to perform the remaining tasks yourself. to complete the installation/configuration. The goal of these posts (serie) is to show you how to install and configure OCSP in Windows Server 2008 R2 in an unattended manner. So let’s get started.
To install the OCSP binaries execute the following commands. It will also install any required components:
# Installing The OCSP Binaries Import-Module ServerManager Add-WindowsFeature ADCS-Online-Cert
Figure 1: Installing The OCSP Binaries And Any Other Required Components
Next you need to issue a CERTUTIL command that will create and configure the OCSP Virtual Directory (application), the OCSP application pool and the OCSP ISAPI filter. For that issue the following command:
# Installing/Configuring OCSP Virtual Directory # Installing/Configuring OCSP Application Pool # Installing/Configuring OCSP ISAPI filter & 'CERTUTIL' -VOCSPROOT
Figure 2: Installing/Configuring The OCSP Virtual Directory, The OCSP Application Pool And The OCSP ISAPI filter
Next you need to configure the correct NTFS permissions on the folder used by the OCSP virtual directory. For that issue the following command:
# Configuring The Permissions On The Physical Path Used By The OCSP Virtual Directory Import-Module WebAdministration $Ace = "NT AUTHORITY\IUSR","ReadAndExecute,Synchronize","ContainerInherit, ObjectInherit", "None", "Allow" $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $Ace $ocspFolder = (Get-Item "IIS:\Sites\Default Web Site\ocsp").PhysicalPath $aclOCSPFolder = Get-Acl $ocspFolder $aclOCSPFolder | FL $aclOCSPFolder.AddAccessRule($AccessRule) $aclOCSPFolder | Set-Acl $ocspFolder $aclOCSPFolder = Get-Acl $ocspFolder $aclOCSPFolder | FL
Figure 3: Configuring The NTFS Permissions On The Folder Used By The OCSP Virtual Directory
Next you need to configure the account on the OCSP Application Pool. For that issue the following command:
# Configuring The OCSP Application Pool # http://www.iis.net/configreference/system.applicationhost/applicationpools/add/processmodel Import-Module WebAdministration Set-ItemProperty -Path "IIS:\AppPools\OCSPISAPIAppPool" -Name ProcessModel.IdentityType -value 2
Figure 4: Configuring The Account Used By The OCSP Application Pool
To finish it up and reset everything, execute the following commands:
# Resetting The OCSP Service And IIS Restart-Service OCSPSVC -Force IISRESET
Figure 5: Resetting OCSP And IIS
At this point OCSP has been installed and configured. However, for it to be functional and support (OCSP) client requests, you must configure OCSP with revocation information for specific CA. When configuring OCSP with revocation information through the GUI you must select a CA certificate and for that you have three options as shown in the picture below.
Figure 6: Specifying The CA To Service For Revocation Information Through Its Certificate
After that you must determine which certificate to use to sign revocation information before the response is sent to a client. You can configure every OCSP array member to automatically select a certificate based upon some certificate template or you must configure every OCSP array member with a certificate manually. This is shown in the picture below.
Option  –> with this option the OCSP will be automatically configured to retrieve a certificate based upon the specified certificate template from the specified CA. Renewals will also be automatic. This will apply to every array member.
Option  –> with this option, every OCSP array member individually must be configured manually with a certificate afterwards to be used by OCSP. Renewals will not be automatic and need to occur manually every time the certificate needs to be renewed. Again, this will apply to every array member.
Option  –> with this last option OCSP will use the CA certificate to sign responses
Figure 7: Specifying Which Certificate To Use To Sign Responses
Continued in part 2 “(2013-08-25) Automated/Unattended Installation Of OCSP (Part 2)”
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########