Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2013-08-27) Automated/Unattended Installation Of OCSP (Part 4)

Posted by Jorge on 2013-08-27


Click here for part 3

This post will explain how to configure revocation information through option [3] (Use The CA Certificate For The Revocation Information) for each ENTERPRISE CA found in AD. 

 image

Figure 1: Configuring Revocation Configuration And Choosing The CA Certificate As The Signing Certificate

This option can only be used when OCSP is installed on the same server as the CA itself OCSP is servicing

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/) Import-Module PSPKI # Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get The Local CA $localCA = Connect-CA -ComputerName $ocspServerFQDN # For The Local CA Create Revocation Configuration # Get The CA Name $caName = $localCA.DisplayName # Get The CA Server Name $caServerName = $localCA.ComputerName # Get The CA Certificate $caCert = $localCA.Certificate # Get The RawData Of The CA Certificate $caCertRawData = $caCert.RawData # Define The OCSP Name $ocspName = "OCSP For " + $caName + " (" + $caServerName + ")" # Configure The Revocation Provider Properties In A Property Collection Object For This CA $ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection" $baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl" $deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl" $ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl) $ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl) $ocspProperties.CreateProperty("RevocationErrorCode", 0) #$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval # Configure The OCSP Signing Flags To Automatically Select A Signing Cert # http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx $OCSP_SF_SILENT = 0x001 $OCSP_SF_USE_CACERT = 0x002 $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA = 0x008 $OCSP_SF_RESPONDER_ID_KEYHASH = 0x040 $ocspSigningFlags = $OCSP_SF_SILENT ` + $OCSP_SF_USE_CACERT ` + $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA ` + $OCSP_SF_RESPONDER_ID_KEYHASH # Save The OCSP Configuration In An Object $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) # Create New Revocation Configuration $ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData) $ocspConfig.HashAlgorithm = "SHA1" $ocspConfig.SigningFlags = $ocspSigningFlags $ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties() $ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}" $ocspConfig.ReminderDuration = 90 # Commit The New Revocation Configuration $ocspAdmin.SetConfiguration($ocspServerFQDN, $True)

image_thumb123_thumb[1]_thumb

Figure 2a: Configuring Revocation Configuration For The Local Enterprise CA

image_thumb127_thumb[1]_thumb

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get The Renewed OCSP Configuration $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) $ocspAdmin.OCSPCAConfigurationCollection $ocspAdmin.OCSPServiceProperties

image_thumb130_thumb[1]_thumb

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

Continued in part 5 “(2013-08-28) Automated/Unattended Installation Of OCSP (Part 5)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

2 Responses to “(2013-08-27) Automated/Unattended Installation Of OCSP (Part 4)”

  1. […] (2013-08-25) Automated/Unattended Installation Of OCSP (Part 2) (2013-08-27) Automated/Unattended Installation Of OCSP (Part 4) […]

  2. […] « (2013-08-27) Automated/Unattended Installation Of OCSP (Part 4) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: