Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2013-08-25) Automated/Unattended Installation Of OCSP (Part 2)

Posted by Jorge on 2013-08-25


Click here for part 1

This post will explain how to configure revocation information through option [1] (Automatically Select A Signing Certificate) for each ENTERPRISE CA found in AD.

image 

Figure 1: Configuring Revocation Configuration And Choosing To Automatically Select A Signing Certificate

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/) Import-Module PSPKI # Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get All The Enterprise CAs Published In AD $enterpriseCAs = Get-CA | ?{$_.Type -match "Enterprise"} # For Every CA Create Revocation Configuration $enterpriseCAs | %{ # Get The CA Name $caName = $_.DisplayName # Get The CA Server Name $caServerName = $_.ComputerName # Get The CA Config String $caConfigString = $_.ConfigString # Get The CA Certificate $caCert = $_.Certificate # Get The RawData Of The CA Certificate $caCertRawData = $caCert.RawData # Define The OCSP Name $ocspName = "OCSP For " + $caName + " (" + $caServerName + ")" # Get The OCSP Signing Certificate Template Published By The CA ($_ | Get-CATemplate).Templates | %{ $certTemplateDisplayName = $_.DisplayName $enhancedKeyUsageCertTemplate = (Get-CertificateTemplate -DisplayName $certTemplateDisplayName).Settings.EnhancedKeyUsage $enhancedKeyUsageFound = $enhancedKeyUsageCertTemplate | ?{$_.FriendlyName -eq "OCSP Signing"} If ($enhancedKeyUsageFound -ne $null) { $ocspCertTemplateName = (Get-CertificateTemplate -DisplayName $certTemplateDisplayName).Name } } If (!$ocspCertTemplateName) { Write-Host "No Certificate Template Found With The 'OCSP Signing' Extension" Break } # Configure The Revocation Provider Properties In A Property Collection Object For This CA $ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection" $baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl" $deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl" $ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl) $ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl) $ocspProperties.CreateProperty("RevocationErrorCode", 0) #$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval # Configure The OCSP Signing Flags To Automatically Select A Signing Cert # http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx $OCSP_SF_SILENT = 0x001 $OCSP_SF_ALLOW_SIGNINGCERT_AUTORENEWAL = 0x004 $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA = 0x008 $OCSP_SF_AUTODISCOVER_SIGNINGCERT = 0x010 $OCSP_SF_RESPONDER_ID_KEYHASH = 0x040 $OCSP_SF_ALLOW_SIGNINGCERT_AUTOENROLLMENT = 0x200 $ocspSigningFlags = $OCSP_SF_SILENT ` + $OCSP_SF_ALLOW_SIGNINGCERT_AUTORENEWAL ` + $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA ` + $OCSP_SF_AUTODISCOVER_SIGNINGCERT ` + $OCSP_SF_RESPONDER_ID_KEYHASH ` + $OCSP_SF_ALLOW_SIGNINGCERT_AUTOENROLLMENT # Save The OCSP Configuration In An Object $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) # Create New Revocation Configuration $ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData) $ocspConfig.CAConfig = $caConfigString $ocspConfig.SigningCertificateTemplate = $ocspCertTemplateName $ocspConfig.HashAlgorithm = "SHA1" $ocspConfig.SigningFlags = $ocspSigningFlags $ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties() $ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}" $ocspConfig.ReminderDuration = 90 # Commit The New Revocation Configuration $ocspAdmin.SetConfiguration($ocspServerFQDN, $True) }

 image_thumb97

Figure 2a: Configuring Revocation Configuration For Every Enterprise CA Found In AD

image_thumb101

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

image_thumb105

Figure 2c: Configuring Revocation Configuration For Every Enterprise CA Found In AD

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get The Renewed OCSP Configuration $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) $ocspAdmin.OCSPCAConfigurationCollection $ocspAdmin.OCSPServiceProperties

image_thumb108

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

Continued in part 3 “(2013-08-26) Automated/Unattended Installation Of OCSP (Part 3)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

2 Responses to “(2013-08-25) Automated/Unattended Installation Of OCSP (Part 2)”

  1. […] CSP Not Supporting It Results In Error (0×80090029) During CA Installation/Configuration (2013-08-25) Automated/Unattended Installation Of OCSP (Part 2) […]

  2. […] « (2013-08-25) Automated/Unattended Installation Of OCSP (Part 2) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: