Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2013-08-26) Automated/Unattended Installation Of OCSP (Part 3)

Posted by Jorge on 2013-08-26


Click here for part 2

This post will explain how to configure revocation information through option [2] (Manually Select A Signing Certificate) for each ENTERPRISE CA found in AD. 

image

Figure 1: Configuring Revocation Configuration And Choosing To Manually Select A Signing Certificate

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/) Import-Module PSPKI # Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get All The Enterprise CAs Published In AD $enterpriseCAs = Get-CA | ?{$_.Type -match "Enterprise"} # For Every CA Create Revocation Configuration $enterpriseCAs | %{ # Get The CA Name $caName = $_.DisplayName # Get The CA Server Name $caServerName = $_.ComputerName # Get The CA Certificate $caCert = $_.Certificate # Get The RawData Of The CA Certificate $caCertRawData = $caCert.RawData # Define The OCSP Name $ocspName = "OCSP For " + $caName + " (" + $caServerName + ")" # Configure The Revocation Provider Properties In A Property Collection Object For This CA $ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection" $baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl" $deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl" $ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl) $ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl) $ocspProperties.CreateProperty("RevocationErrorCode", 0) #$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval # Configure The OCSP Signing Flags To Automatically Select A Signing Cert # http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx $OCSP_SF_SILENT = 0x001 $OCSP_SF_MANUAL_ASSIGN_SIGNINGCERT = 0x020 $OCSP_SF_RESPONDER_ID_KEYHASH = 0x040 $ocspSigningFlags = $OCSP_SF_SILENT ` + $OCSP_SF_MANUAL_ASSIGN_SIGNINGCERT ` + $OCSP_SF_RESPONDER_ID_KEYHASH ` # Save The OCSP Configuration In An Object $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) # Create New Revocation Configuration $ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData) $ocspConfig.HashAlgorithm = "SHA1" $ocspConfig.SigningFlags = $ocspSigningFlags $ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties() $ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}" $ocspConfig.ReminderDuration = 90 # Commit The New Revocation Configuration $ocspAdmin.SetConfiguration($ocspServerFQDN, $True) }

 

image_thumb112_thumb[1]

Figure 2a: Configuring Revocation Configuration For Every Enterprise CA Found In AD

image_thumb116_thumb[1]

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

Now before continuing MANUALLY assign a certificate to the OCSP Revocation Configuration. Do this through the “Online Responder Management” MMC. You must do this for EVERY OCSP Array Member. The certificate that will be used must have the “OCSP Signing” Enhanced Key Usage Extension.

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get The Renewed OCSP Configuration $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) $ocspAdmin.OCSPCAConfigurationCollection $ocspAdmin.OCSPServiceProperties

image_thumb120_thumb[1]

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

Continued in part 4 “(2013-08-27) Automated/Unattended Installation Of OCSP (Part 4)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

2 Responses to “(2013-08-26) Automated/Unattended Installation Of OCSP (Part 3)”

  1. […] (2013-08-24) Automated/Unattended Installation Of OCSP (Part 1) (2013-08-26) Automated/Unattended Installation Of OCSP (Part 3) […]

  2. […] « (2013-08-26) Automated/Unattended Installation Of OCSP (Part 3) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: