Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘OCSP’ Category

(2013-09-04) Incorrect CSP Prevents Enrollment Of OCSP Response Signing Certificates

Posted by Jorge on 2013-09-04


As mentioned in the previous post, (2013-08-24) Enabling Key Counting With A CSP Not Supporting It Results In Error (0×80090029) During CA Installation/Configuration, I was rebuilding my test environment. In addition to installing and configuring a certificate authority I also wanted to install and configure an online responder. Before, I used the default “OCSP Response Signing” certificate template, but I wanted to duplicate it and create a new one. Because I install multiple environments for testing purposes I wanted to script the creation of the certificate templates so save time. I never found an easy way script the duplication of certificate templates. So I duplicated the templates first and changed the settings as needed. Then through ADSIEDIT I got the attribute values and put them in a script with ADMOD from joeware. I did this for multiple certificate templates.

The settings of the duplicated “OCSP Response Signing” certificate template are shown below.

image

Figure 1: The Settings Of The Duplicated “OCSP Response Signing” Certificate Template

ADMOD –h <FQDN DC> -mvdelim # -replacedn XXX-CONFIG-XXX:_config -add -b "CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,XXX-CONFIG-XXX" "objectClass::pKICertificateTemplate" "displayName::OCSP Response Signing v20" "showInAdvancedViewOnly::TRUE" "flags::131648" "revision::100" "pKICriticalExtensions:++:2.5.29.15" "pKIDefaultKeySpec::2" "pKIExtendedKeyUsage:++:1.3.6.1.5.5.7.3.9" "pKIKeyUsage::8000" "pKIMaxIssuingDepth::0" "BIN##pKIExpirationPeriod::0080 37AE FFF4 FFFF" "BIN##pKIOverlapPeriod::0080 2CAB 6DFE FFFF" "pKIDefaultCSPs:++:1,Microsoft Enhanced Cryptographic Provider v1.0" "msPKI-RA-Signature::0" "msPKI-Enrollment-Flag::20512" "msPKI-Private-Key-Flag::33751040" "msPKI-Certificate-Name-Flag::402653184" "msPKI-Minimal-Key-Size::2048" "msPKI-Template-Schema-Version::3" "msPKI-Template-Minor-Revision::3" "msPKI-Cert-Template-OID::1.3.6.1.4.1.311.21.8.7425675.14461227.5065100.6342490.10430944.249.14559993.5566867" "msPKI-Certificate-Application-Policy:++:1.3.6.1.5.5.7.3.9" "msPKI-RA-Application-Policies:++:msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Security-Descriptor`PZPWSTR`D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;GR;;;S-1-5-80-3804348527-3718992918-2141599610-3686422417-2726379419)`msPKI-Key-Usage`DWORD`2`" "msPKI-Supersede-Templates:++:OCSPResponseSigning"

REMARK: YOU SHOULD NOT USE THIS METHOD IN YOUR TEST ENVIRONMENT TO DUPLICATE CERT TEMPLATES! I USED THIS IN MY TEST ENVIRONMENT WITH A PREDEFINED OID.

REMARK: I need to use the mvdelim parameter in this case and specify a new delimiter (#). The reason for that is that ADMOD by default uses the ; as a delimiter for multi-valued attributes. However, if you look at the second last attribute and its value in the command line, you will see it contains multiple ; as a value. Hence the required change in delimiter

image

Figure 2: Scripting The Creation Of The Custom “OCSP Response Signing” Certificate Template

Then I used DSACLS to configure the permissions of that specific certificate template.

REM Convert The DNS Domain To An NC SET DNDOMAIN=DC=%USERDNSDOMAIN:.=,DC=% REM Disable Inheritance And Copy The Inherited Permissions Onto The Object As Explicit Permissions DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /P:Y REM Assign Enterprise Admins Allow:Read And Allow:Write DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "Enterprise Admins:GRWDWOWP" REM Remove Any Assigned Permissions To Domain Admins DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /R "Domain Admins" REM Assign Domain Admins Allow:Read And Allow:Write DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "Domain Admins:GRWDWOWP" REM Remove Any Assigned Permissions To SYSTEM DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /R "SYSTEM" REM Assign SYSTEM Allow:Read And Allow:Write DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "SYSTEM:GRWDWOWP" REM Assign A Custom Group Allow:Enroll DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "GRP_R2_PKI-CertTmplt-Subscr-OCSPResponseSigning:CA;Enroll"

The last line assigns a custom group Allow:Enroll permissions. It is NOT needed to assigned AutoEnroll permissions! The command that disables inheritance and copies the inherited permissions to become explicit permissions keeps Authenticated Users with Allow:Read. By making the computer account of my OCSP server a member of that custom group OCSP Response Signing certificates are automatically enrolled by the OCSP service.

The second last thing to do is to configure the CA to support the custom “OCSP Response Signing” certificate template to be able to enroll certificates derived from that certificate template. The last thing to do is to configure OCSP to support revocation information for the installed CA (see: Designing And Implementing An OCSP Responder (Series)).

So as soon as you have configured the revocation information for that specific CA (also see the series: Automated/Unattended Installation Of OCSP) and you pressed/clicked Refresh it should tell you it got a new signing certificate. However, unfortunately, the case is different. No certificate is being enrolled! Damn!

This is what you will see continuously.

image

Figure 3: The Online Responder Configuration – Error “Bad Signing Certificate On Array Controller”

image

Figure 4: The Online Responder Configuration – Error “Signing Certificate: Not Found”

When looking at the Application Event Log, you will see…

image

Figure 5: The Online Responder Service – Error “0x80092006: No Provider Was Specified For The Store Or Object”

image

Figure 6: The Online Responder Service – Error “0x80092006: No Provider Was Specified For The Store Or Object”

Both the errors do not give you a clear hint of what’s wrong.

The only thing I remembered was that when I used the default “OCSP Response Signing” certificate template everything worked like a charm! Trouble started when I used my duplicated/custom certificate template. So, the first task was to compare both settings! YOU can do the same by comparing figure 1 above and figure 7 below.

image

Figure 7: The Settings Of The Original “OCSP Response Signing” Certificate Template

Besides the “msPKI-Cert-Template-OID” attribute value being different, there is another difference! The original “OCSP Response Signing” Certificate Template DOES NOT specify a CSP, while the duplicate “OCSP Response Signing” Certificate Template does. So, where did that go wrong!?

In the GUI this looks like….

image image

Figure 8: The Cryptography Settings Of The Default (Left) And The Duplicated (Right) “OCSP Response Signing” Certificate Template

The only thing to do here is changing the cryptographic settings of the duplicated “OCSP Response Signing” Certificate Template to match those of the original “OCSP Response Signing” Certificate Template.

image

Figure 9: The Online Responder Configuration – “Working”

image

Figure 10: The Online Responder Configuration – “Signing Certificate: OK”

image

Figure 11: The Online Responder Configuration – Certificate Enrolled

image

Figure 12: The Online Responder Configuration – Certificate (Re)Loaded

Explanation of what went wrong….

As I said I was scripting the creation of certificate templates.  While I was copying information around I copied the text "pKIDefaultCSPs:++:1,Microsoft Enhanced Cryptographic Provider v1.0" into the command line that creates the duplicated “OCSP Response Signing” Certificate Template. However, I SHOULD NOT have done that! It was therefore a mistake that generated the previous errors shown and that looks lots of time to troubleshoot!

So in the previous ADMOD command the part "pKIDefaultCSPs:++:1,Microsoft Enhanced Cryptographic Provider v1.0" MUST be removed!

Just a stupid copy/paste mistake.

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Advertisements

Posted in Active Directory Certificate Services (ADCS), Certificate Templates, OCSP | Leave a Comment »

(2013-08-29) Automated/Unattended Installation Of OCSP (Part 6)

Posted by Jorge on 2013-08-29


Click here for part 5

Make sure to select YOUR preferred Array Controller and afterwards synchronize all OCSP Array Members with the OCSP Array Controller. To select a new OCSP Array Controller afterwards, select the OCSP Array Member that will become the OCSP Array Controller and select the option “Set As Array Controller”

image_thumb141_thumb[1]_thumb_thumb_thumb

Figure 1: Configuring A New Array Controller

To synchronize the array members with the array controller, select the node “Array Configuration” and right-click it and select the option “Synchronize Members With Array Controller”

image_thumb144_thumb[1]_thumb_thumb_thumb

Figure 2: Synchronizing The Array Members With The Array Controller

Everything is up and running. To test OCSP you need a certificate that has been issued  to some entity. After exporting the certificate to a CER file, you can use the following command to test OCSP:

CERTUTIL -URL <CER file>. If you are using a PowerShell Command Prompt window, type: & ‘CERTUTIL’ –URL .\<CER file>

Check (on the right side) “OCSP (from AIA)” and click “Retrieve”

image_thumb147_thumb[1]_thumb_thumb_thumb

Figure 3: Testing OCSP

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 1 Comment »

(2013-08-28) Automated/Unattended Installation Of OCSP (Part 5)

Posted by Jorge on 2013-08-28


Click here for part 4

When using option [1] or [2], lets assume you want to have more than one OCSP server servicing the Revocation Configurations of each configured CA. After adding all revocation configurations you can add more OCSP members to the OCSP array. The first OCSP server hosting the revocation configurations is by default the array controller when adding additional OCSP members to the array. So this action, or the next script, needs to be executed on the OCSP array controller.

REMARK: A “BIG THANK YOU!” goes to Vadim Podans for helping me out in defining the correct format of the values being written to the ArrayMembers property.

# Get The Info Of The Local Server $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Put The OCSP Configuration In An Object $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $true) # Retrieve The Current OCSP Array Member(s) $currentArrayMembers = $ocspAdmin.OCSPServiceProperties.Item(2).Value # Define The ADDITIONAL OCSP Array Members $newArrayMembers = @("R2FSMBSV2.ADDMZ.LAN") # Define The Total List Of Array Members [string[]]$totalListArrayMembers = $currentArrayMembers + $newArrayMembers # Write The New Total List Of Array Members $ocspAdmin.OCSPServiceProperties.Item(2).Value = $totalListArrayMembers # Commit The Changes $ocspAdmin.SetConfiguration($ocspServerFQDN, $true)

image_thumb133_thumb[1]_thumb_thumb

Figure 1: Configuring Additional OCSP Array Members On The Array Controller

Now open/start the “Online Responder Management” MMC. You will immediately get an array controller mismatch message as shown below

image_thumb137_thumb[1]_thumb_thumb

Figure 2: Array Controller Mismatch Message

Continued in part 6 “(2013-08-29) Automated/Unattended Installation Of OCSP (Part 6)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 2 Comments »

(2013-08-27) Automated/Unattended Installation Of OCSP (Part 4)

Posted by Jorge on 2013-08-27


Click here for part 3

This post will explain how to configure revocation information through option [3] (Use The CA Certificate For The Revocation Information) for each ENTERPRISE CA found in AD. 

 image

Figure 1: Configuring Revocation Configuration And Choosing The CA Certificate As The Signing Certificate

This option can only be used when OCSP is installed on the same server as the CA itself OCSP is servicing

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/) Import-Module PSPKI # Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get The Local CA $localCA = Connect-CA -ComputerName $ocspServerFQDN # For The Local CA Create Revocation Configuration # Get The CA Name $caName = $localCA.DisplayName # Get The CA Server Name $caServerName = $localCA.ComputerName # Get The CA Certificate $caCert = $localCA.Certificate # Get The RawData Of The CA Certificate $caCertRawData = $caCert.RawData # Define The OCSP Name $ocspName = "OCSP For " + $caName + " (" + $caServerName + ")" # Configure The Revocation Provider Properties In A Property Collection Object For This CA $ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection" $baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl" $deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl" $ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl) $ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl) $ocspProperties.CreateProperty("RevocationErrorCode", 0) #$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval # Configure The OCSP Signing Flags To Automatically Select A Signing Cert # http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx $OCSP_SF_SILENT = 0x001 $OCSP_SF_USE_CACERT = 0x002 $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA = 0x008 $OCSP_SF_RESPONDER_ID_KEYHASH = 0x040 $ocspSigningFlags = $OCSP_SF_SILENT ` + $OCSP_SF_USE_CACERT ` + $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA ` + $OCSP_SF_RESPONDER_ID_KEYHASH # Save The OCSP Configuration In An Object $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) # Create New Revocation Configuration $ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData) $ocspConfig.HashAlgorithm = "SHA1" $ocspConfig.SigningFlags = $ocspSigningFlags $ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties() $ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}" $ocspConfig.ReminderDuration = 90 # Commit The New Revocation Configuration $ocspAdmin.SetConfiguration($ocspServerFQDN, $True)

image_thumb123_thumb[1]_thumb

Figure 2a: Configuring Revocation Configuration For The Local Enterprise CA

image_thumb127_thumb[1]_thumb

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get The Renewed OCSP Configuration $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) $ocspAdmin.OCSPCAConfigurationCollection $ocspAdmin.OCSPServiceProperties

image_thumb130_thumb[1]_thumb

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

Continued in part 5 “(2013-08-28) Automated/Unattended Installation Of OCSP (Part 5)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 2 Comments »

(2013-08-26) Automated/Unattended Installation Of OCSP (Part 3)

Posted by Jorge on 2013-08-26


Click here for part 2

This post will explain how to configure revocation information through option [2] (Manually Select A Signing Certificate) for each ENTERPRISE CA found in AD. 

image

Figure 1: Configuring Revocation Configuration And Choosing To Manually Select A Signing Certificate

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/) Import-Module PSPKI # Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get All The Enterprise CAs Published In AD $enterpriseCAs = Get-CA | ?{$_.Type -match "Enterprise"} # For Every CA Create Revocation Configuration $enterpriseCAs | %{ # Get The CA Name $caName = $_.DisplayName # Get The CA Server Name $caServerName = $_.ComputerName # Get The CA Certificate $caCert = $_.Certificate # Get The RawData Of The CA Certificate $caCertRawData = $caCert.RawData # Define The OCSP Name $ocspName = "OCSP For " + $caName + " (" + $caServerName + ")" # Configure The Revocation Provider Properties In A Property Collection Object For This CA $ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection" $baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl" $deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl" $ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl) $ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl) $ocspProperties.CreateProperty("RevocationErrorCode", 0) #$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval # Configure The OCSP Signing Flags To Automatically Select A Signing Cert # http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx $OCSP_SF_SILENT = 0x001 $OCSP_SF_MANUAL_ASSIGN_SIGNINGCERT = 0x020 $OCSP_SF_RESPONDER_ID_KEYHASH = 0x040 $ocspSigningFlags = $OCSP_SF_SILENT ` + $OCSP_SF_MANUAL_ASSIGN_SIGNINGCERT ` + $OCSP_SF_RESPONDER_ID_KEYHASH ` # Save The OCSP Configuration In An Object $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) # Create New Revocation Configuration $ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData) $ocspConfig.HashAlgorithm = "SHA1" $ocspConfig.SigningFlags = $ocspSigningFlags $ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties() $ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}" $ocspConfig.ReminderDuration = 90 # Commit The New Revocation Configuration $ocspAdmin.SetConfiguration($ocspServerFQDN, $True) }

 

image_thumb112_thumb[1]

Figure 2a: Configuring Revocation Configuration For Every Enterprise CA Found In AD

image_thumb116_thumb[1]

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

Now before continuing MANUALLY assign a certificate to the OCSP Revocation Configuration. Do this through the “Online Responder Management” MMC. You must do this for EVERY OCSP Array Member. The certificate that will be used must have the “OCSP Signing” Enhanced Key Usage Extension.

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get The Renewed OCSP Configuration $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) $ocspAdmin.OCSPCAConfigurationCollection $ocspAdmin.OCSPServiceProperties

image_thumb120_thumb[1]

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

Continued in part 4 “(2013-08-27) Automated/Unattended Installation Of OCSP (Part 4)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 2 Comments »

(2013-08-25) Automated/Unattended Installation Of OCSP (Part 2)

Posted by Jorge on 2013-08-25


Click here for part 1

This post will explain how to configure revocation information through option [1] (Automatically Select A Signing Certificate) for each ENTERPRISE CA found in AD.

image 

Figure 1: Configuring Revocation Configuration And Choosing To Automatically Select A Signing Certificate

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/) Import-Module PSPKI # Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get All The Enterprise CAs Published In AD $enterpriseCAs = Get-CA | ?{$_.Type -match "Enterprise"} # For Every CA Create Revocation Configuration $enterpriseCAs | %{ # Get The CA Name $caName = $_.DisplayName # Get The CA Server Name $caServerName = $_.ComputerName # Get The CA Config String $caConfigString = $_.ConfigString # Get The CA Certificate $caCert = $_.Certificate # Get The RawData Of The CA Certificate $caCertRawData = $caCert.RawData # Define The OCSP Name $ocspName = "OCSP For " + $caName + " (" + $caServerName + ")" # Get The OCSP Signing Certificate Template Published By The CA ($_ | Get-CATemplate).Templates | %{ $certTemplateDisplayName = $_.DisplayName $enhancedKeyUsageCertTemplate = (Get-CertificateTemplate -DisplayName $certTemplateDisplayName).Settings.EnhancedKeyUsage $enhancedKeyUsageFound = $enhancedKeyUsageCertTemplate | ?{$_.FriendlyName -eq "OCSP Signing"} If ($enhancedKeyUsageFound -ne $null) { $ocspCertTemplateName = (Get-CertificateTemplate -DisplayName $certTemplateDisplayName).Name } } If (!$ocspCertTemplateName) { Write-Host "No Certificate Template Found With The 'OCSP Signing' Extension" Break } # Configure The Revocation Provider Properties In A Property Collection Object For This CA $ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection" $baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl" $deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl" $ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl) $ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl) $ocspProperties.CreateProperty("RevocationErrorCode", 0) #$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval # Configure The OCSP Signing Flags To Automatically Select A Signing Cert # http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx $OCSP_SF_SILENT = 0x001 $OCSP_SF_ALLOW_SIGNINGCERT_AUTORENEWAL = 0x004 $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA = 0x008 $OCSP_SF_AUTODISCOVER_SIGNINGCERT = 0x010 $OCSP_SF_RESPONDER_ID_KEYHASH = 0x040 $OCSP_SF_ALLOW_SIGNINGCERT_AUTOENROLLMENT = 0x200 $ocspSigningFlags = $OCSP_SF_SILENT ` + $OCSP_SF_ALLOW_SIGNINGCERT_AUTORENEWAL ` + $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA ` + $OCSP_SF_AUTODISCOVER_SIGNINGCERT ` + $OCSP_SF_RESPONDER_ID_KEYHASH ` + $OCSP_SF_ALLOW_SIGNINGCERT_AUTOENROLLMENT # Save The OCSP Configuration In An Object $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) # Create New Revocation Configuration $ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData) $ocspConfig.CAConfig = $caConfigString $ocspConfig.SigningCertificateTemplate = $ocspCertTemplateName $ocspConfig.HashAlgorithm = "SHA1" $ocspConfig.SigningFlags = $ocspSigningFlags $ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties() $ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}" $ocspConfig.ReminderDuration = 90 # Commit The New Revocation Configuration $ocspAdmin.SetConfiguration($ocspServerFQDN, $True) }

 image_thumb97

Figure 2a: Configuring Revocation Configuration For Every Enterprise CA Found In AD

image_thumb101

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

image_thumb105

Figure 2c: Configuring Revocation Configuration For Every Enterprise CA Found In AD

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get The Renewed OCSP Configuration $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) $ocspAdmin.OCSPCAConfigurationCollection $ocspAdmin.OCSPServiceProperties

image_thumb108

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

Continued in part 3 “(2013-08-26) Automated/Unattended Installation Of OCSP (Part 3)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 2 Comments »

(2013-08-24) Automated/Unattended Installation Of OCSP (Part 1)

Posted by Jorge on 2013-08-24


In W2K8R2 (although not tested, it will most likely also apply to higher OS versions) three methods exist to install the Online Certificate Status Protocol (OSCP). The three methods are:

  1. Through the Server Manager console by installing the ADCS role service called “Online Responder”
  2. Through the Server Manager command line “ServerManagerCMD.exe” utility by executing the command: ServerManagerCMD -install ADCS-Online-Cert
  3. Through the PowerShell CMDlet “Add-WindowsFeature” by executing the powershell command: Add-WindowsFeature ADCS-Online-Cert

Unfortunately there is no consistent behavior with all three methods. I have come to learn that only method [1] performs all tasks required in one go to get OCSP up and running. Method [2] and [3] install the binaries, but “forget” to execute the following remaining task:

  • Creation and configuration of the OCSP virtual directory (application)
  • Creation and configuration of the OCSP application pool (with Network Service as the user account)
  • Creation and configuration of the OCSP ISAPI filter
  • Configuration of the NTFS permissions on the physical path used by the virtual directory

Because of that, if you want to automate this, you need to perform the remaining tasks yourself. to complete the installation/configuration. The goal of these posts (serie) is to show you how to install and configure OCSP in Windows Server 2008 R2 in an unattended manner. So let’s get started.

To install the OCSP binaries execute the following commands. It will also install any required components:

# Installing The OCSP Binaries Import-Module ServerManager Add-WindowsFeature ADCS-Online-Cert

image

Figure 1: Installing The OCSP Binaries And Any Other Required Components

Next you need to issue a CERTUTIL command that will create and configure the  OCSP Virtual Directory (application), the OCSP application pool and the OCSP ISAPI filter. For that issue the following command:

# Installing/Configuring OCSP Virtual Directory # Installing/Configuring OCSP Application Pool # Installing/Configuring OCSP ISAPI filter & 'CERTUTIL' -VOCSPROOT

image

Figure 2: Installing/Configuring The OCSP Virtual Directory, The OCSP Application Pool And The OCSP ISAPI filter

Next you need to configure the correct NTFS permissions on the folder used by the OCSP virtual directory. For that issue the following command:

# Configuring The Permissions On The Physical Path Used By The OCSP Virtual Directory Import-Module WebAdministration $Ace = "NT AUTHORITY\IUSR","ReadAndExecute,Synchronize","ContainerInherit, ObjectInherit", "None", "Allow" $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $Ace $ocspFolder = (Get-Item "IIS:\Sites\Default Web Site\ocsp").PhysicalPath $aclOCSPFolder = Get-Acl $ocspFolder $aclOCSPFolder | FL $aclOCSPFolder.AddAccessRule($AccessRule) $aclOCSPFolder | Set-Acl $ocspFolder $aclOCSPFolder = Get-Acl $ocspFolder $aclOCSPFolder | FL

image

Figure 3: Configuring The NTFS Permissions On The Folder Used By The OCSP Virtual Directory

Next you need to configure the account on the OCSP Application Pool. For that issue the following command:

# Configuring The OCSP Application Pool # http://www.iis.net/configreference/system.applicationhost/applicationpools/add/processmodel Import-Module WebAdministration Set-ItemProperty -Path "IIS:\AppPools\OCSPISAPIAppPool" -Name ProcessModel.IdentityType -value 2

image

Figure 4: Configuring The Account Used By The OCSP Application Pool

To finish it up and reset everything, execute the following commands:

# Resetting The OCSP Service And IIS Restart-Service OCSPSVC -Force IISRESET

image

Figure 5: Resetting OCSP And IIS

At this point OCSP has been installed and configured. However, for it to be functional and support (OCSP) client requests, you must configure OCSP with revocation information for specific CA. When configuring OCSP with revocation information through the GUI you must select a CA certificate and for that you have three options as shown in the picture below.

image

Figure 6: Specifying The CA To Service For Revocation Information Through Its Certificate

After that you must determine which certificate to use to sign revocation information before the response is sent to a client. You can configure every OCSP array member to automatically select a certificate based upon some certificate template or you must configure every OCSP array member with a certificate manually. This is shown in the picture below.

Option [1] –> with this option the OCSP will be automatically configured to retrieve a certificate based upon the specified certificate template from the specified CA. Renewals will also be automatic. This will apply to every array member.

Option [2] –> with this option, every OCSP array member individually must be configured manually with a certificate afterwards to be used by OCSP. Renewals will not be automatic and need to occur manually every time the certificate needs to be renewed. Again, this will apply to every array member.

Option [3] –> with this last option OCSP will use the CA certificate to sign responses

image

Figure 7: Specifying Which Certificate To Use To Sign Responses

Continued in part 2 “(2013-08-25) Automated/Unattended Installation Of OCSP (Part 2)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 1 Comment »

(2012-09-13) Designing And Implementing An OCSP Responder (Part 6)

Posted by Jorge on 2012-09-13


For a PKI project that I’m working on I wanted to refresh my mind about Microsoft OCSP. I found these great articles/posts on the ASKDS blog providing information/guidelines about designing a OCSP infrastructure. Because this stuff is SO GOOD, reposted everything here also. Of course the credits of all these posts go to the original writers from ASKDS. Also make sure to read all the comments in the original source as those have not been copied. The information in the comments is also quite useful!

Have I already said, this stuff is quite good! Smile

————————————————————————————————————————————————————————————————–

ORIGINAL SOURCE: Implementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy

Implementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy

Previous part: (2012-09-13) Designing And Implementing An OCSP Responder (Part 5)

Chris here again. If you have read the previous five part of the series you are at this point very familiar with the installation and configuration of the OCSP Responder. I covered implementing the OCSP Responder to support a variety of scenarios. One thing I have not covered, however, is the configuration of the OCSP Client.

If you have read my blog series on Implementing and OCSP Responder you will be aware that one of the configuration steps is to specify the OCSP URI on the CA so that it is included in issued certificates. This would definitely help with newly issued certificates, but how about certificates that have already been issued? If you could point clients to an OCSP Responder, you would now be able to use OCSP with previously issued certificates.

After some leg work by my colleague, he was able to determine that this feature already exists as of Service Pack 1. Needless to say, I felt ecstatic and dumb at the same time. Ecstatic that the feature was already implemented, and dumb that I was not aware of it. As of Windows Vista Service Pack 1, you can point clients to a specific OCSP server. You will need Windows 2008 servers or Windows Vista clients with RSAT installed to have the ability to implement this setting as a Group Policy. In other words, there is no requirement to have Windows 2008 domain controllers, only a requirement to manage the group policy with a Windows Vista SP1 /Windows Server 2008 computer.

Directing clients to an OCSP URL for certificates

The first step is to export the Certification Authority certificate from the CA. Logon to the CA and open a command prompt, then type certutil  -ca.cert <CA Name>.cer and press Enter.

1. Open up the Group Policy Management Console. Find the GPO for which you would like to make the change and right click on that policy and select Edit.

image

2. In the Group Policy Editor navigate to Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities if your issuing CA for example is not a Root CA the CA certificate would be located in the Intermediate Certification Authorities container. So, you can import the CA cert to that container in the Group Policy and add the appropriate OCSP URI.

image

3. This will start the Certificate Import Wizard, click Next

4. Then on the File to Import page of the wizard, click Browse…

5. Then browse to the CA certificate that was previously exported, select the certificate and then select Open

6. Then click Next

7. On the Certificate Store page, verify that Trusted Root Certification Authorities is selected and select Next

8. Then click Finish to close the wizard.

9. When prompted that The import was successful click OK

10. Then right click on the certificate that was just imported and select Properties.

11. Then click on the OCSP Tab, enter the URL for the OCSP server I want clients to query (FCOSP.FourthCoffee.com/ocsp) in the text box, and select Add URL. Also, if you want to disable CRL checking, you can check the Disable Certificate Revocation Lists (CRL) check box. I then Click OK when finished.

After group policy is updated you see two CA certificates for the CA in the Trusted Root Certification Authorities store. This is because the CA certificate is already in that store prior to adding it to Group Policy. The net result of which is that you will have two of the CA certificates in the Trusted Root Certification Authorities store. Regardless, when the chain is built, the OCSP location that was added via the group policy will be incorporated in the revocation checking process. Now clients will check the OCSP URL that you configured for revocation status even if the OCSP URI is not included in certificates.

image

Conclusion

The option to add the OCSP URI via group policy adds additional flexibility when using the OCSP Client included in Windows Vista. This feature will also be extremely helpful to customers that do have isolated networks as well as those customers that want OCSP support and are not ready to renew their CA hierarchy. It is also useful if you need to change the DNS name of your OCSP Responder which may occur for many reasons, including transitioning to a load balanced array, or adding additional OCSP responders.

————————————————————————————————————————————————————————————————–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), Blog Post Series, Design Guides, OCSP | Leave a Comment »

(2012-09-13) Designing And Implementing An OCSP Responder (Part 5)

Posted by Jorge on 2012-09-13


For a PKI project that I’m working on I wanted to refresh my mind about Microsoft OCSP. I found these great articles/posts on the ASKDS blog providing information/guidelines about designing a OCSP infrastructure. Because this stuff is SO GOOD, reposted everything here also. Of course the credits of all these posts go to the original writers from ASKDS. Also make sure to read all the comments in the original source as those have not been copied. The information in the comments is also quite useful!

Have I already said, this stuff is quite good! Smile

————————————————————————————————————————————————————————————————–

ORIGINAL SOURCE: Implementing an OCSP Responder: Part V High Availability

Implementing an OCSP Responder: Part V High Availability

Previous part: (2012-09-13) Designing And Implementing An OCSP Responder (Part 4)

Chris Here Again. In the four previous parts of this series we covered the basics of OCSP, as well as the steps required to prepare the CA and implement the OCSP Responder. In this section I would like to talk about how to implement a High Availability OCSP Configuration.

There are two major pieces in implementing the High Availability Configuration. The first step is to add the OCSP Responders to what is called an Array. When OCSP Responders are configured in an Array, the configuration of the OCSP responders can be easily maintained, so that all Responders in the Array have the same configuration. The configuration of the Array Controller is used as the baseline configuration that is then applied to other members of the Array.

The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders is what actually provides fault tolerance. I am going to demonstrate using the built in Windows Network Load Balancing feature of Windows Server 2008. You can of course use a third party hardware load balancer if you wish. In this example, we are going to deploy two OCSP Servers in a highly available configuration.

Firewall Exceptions

In Windows Server 2008 the Windows Firewall is enabled by default. Depending on the requirements of your enterprise, you may have the firewall in its default state, you may have it turned off, or you may have a custom configuration.

If you are unfamiliar with Windows Firewall with Advanced Security, you may want to review Windows Firewall with Advanced Security and IPSEC, which has links to a variety of sources for learning about as well configuring and implementing the Windows Firewall with Advanced Security. The document includes a link on how to deploy firewall settings with Group Policy.

The Windows Firewall with Advanced Security there are three types of profiles:

  • Domain. Windows automatically identifies networks on which it can authenticate access to the domain controller for the domain to which the computer is joined in this category. No other networks can be placed in this category.
  • Public. Other than domain networks, all networks are initially categorized as public. Networks that represent direct connections to the Internet or are in public places, such as airports and coffee shops should be left public.
  • Private. A network will only be categorized as private if a user or application identifies the network as private. Only networks located behind a NAT device (preferably a hardware firewall) should be identified as private networks. Users will likely want to identify home or small business networks as private.

http://technet.microsoft.com/en-us/library/cc748991(WS.10).aspx

In a higher security environment you may want to configure this setting for a specific profile. For example inside an enterprise you may want to enable the rule just for the Domain Profile.

In this example when we configure the rules, we are configuring them for Any profile, which will allow the responder to be managed regardless of which profile is applied.

When you install the OCSP Role the following Inbound Rules will be configured on the Windows Firewall:

World Wide Web Services (HTTP Traffic-IN)

World Wide Web Services (HTTPS Traffic-IN)

Also, the following Outbound Rule will be enabled:

Online Responder Service (TCP-Out)

These rules allow the OCSP Responder to receive the OCSP requests from the client and to respond to the OCSP clients.

You will also need to enable the following rules to manage the OCSP Responders as well as allowing the OCSP Responder to sync the configuration with the Array Controller:

Online Responder Service DCOM-In

Online Responder Service RPC-In

To enable the rules, open the Windows Firewall with Advanced Security MMC (WF.msc) and click on Inbound Rules. Find the rule, right click on the rule and select Enable Rule from the context menu.

image

You should perform this action on every OCSP Responder that will be a member of the array. A more scalable solution is to place all of the OCSP Responders in a common OU, and use group policy to maintain a consistent configuration.

CA Preparation

In Part II of this series we discussed preparing the certificate authorities for use with the OCSP Responder. One of the configuration steps was to configure the Authority Information Access (AIA) extensions with the OCSP Extension that included the URL that points to the OCSP Responder. When configuring an OCSP Responder in a Load Balanced Configuration you will need to specify the name of the Load Balancer. Below is a diagram of the OCSP Infrastructure that I will walk through implementing in this blog posting. Notice that the name of the two OCSP Responders are FCOCSP01.FourthCoffee.Com and FCOCSP02.FourthCoffee.com. You will also notice that I have decided to assign the name of FCOCSP.FourthCoffee.Com to the NLB Cluster. Since I want clients to access the load balancer and let the load balancer determine which OCSP Responder that the OCSP Requests goes to, I must specify FCOCSP.FourthCoffee.Com in the OCSP URI.

image

DNS Configuration

As mentioned above, you will want OCSP clients to send the OCSP Requests to the Load Balancer. This allows the Load Balancer to balance requests, this is especially important if one of the OCSP Responders is offline. To ensure that clients can resolve the DNS name of the cluster you will want to register the hostname in DNS.

To register the A record for the NLB cluster in DNS, perform the following steps:

1. Open up the DNS Manager MMC (dnsmgmt.msc)

2. Right click on the appropriate zone and select New Host (A or AAAA)… from the context menu.

image

3. In the New Host dialogue box enter the hostname that will be used for the NLB Cluster, and enter the appropriate IP address. You can provide additional configuration such as Create associated (PTR) record if appropriate for your environment.

image

Configuring OCSP Responder Array

In the upcoming section we will configure two OCSP Responders in an array. The purpose of configuring an array is to maintain the same configuration between OCSP Responders. It is important to be aware of what Revocation Configurations you will be supporting with the Array. In the case of Revocation Configurations that support Enterprise CAs and that are configured to automatically enroll for an OCSP signing certificate, the process is somewhat transparent since the responders added to the array will automatically request the OCSP signing certificate. In the case of Revocation Configuration’s that support Standalone CA’s, an OCSP Signing certificate will need to be manually requested, installed and configured. And of course the OCSP Responder can support both types of Revocation Configurations on the same responder.

OCSP Responder Array Setup

Prerequisites: The Windows Firewall has been configured as shown in the Firewall Exceptions sections above.

Steps:

1. OCSP Signing Certificate must of course be available on the Enterprise CA that the array is going to provide revocation information for. All OCSP Responders that are going to be members of the Array must have Read and Enroll permissions for the OCSP Signing Certificate. Alternatively if the Array is going to support a Revocation Configuration for a Standalone CA, the OCSP signing certificate will need to be installed manually. Remember to give read permission to the Private Key for any OCSP Signing certificates that are installed manually. If you are unfamiliar with this process, instructions for giving the Network Service read permissions to the private key of the OCSP signing certificate are available in Part I of this series.

2. Configure the OCSP Responder that will become the Array Controller. For guidance on deploying an OCSP Responder please see Part III and Part IV of this series.

3. Configure the first OCSP Responder as an Array Controller.

4. Add additional OCSP Responders to the array.

Note: if using OCSP Responders on hyper-V guests, see extra steps here on how to configure NLB virtual guests.

I will be covering the final two steps as the other steps are covered elsewhere in this Blog Series.

1. In the Online Responder Management Console, expand Array Configuration. Select the Responder that you wish to make the Array Controller, right click on the responder name, and select Set as Array Controller from the context menu.

image

2. To add an OCSP Responder to the array, right click on Array Configuration, and select Add Array Member from the context menu.

image

3. You will then receive the Select Computer dialog box. Click on the Browse… button.

4. Enter the name of the OCSP Responder that you wish to add, and click on the Check Names button.

5. Once the computer name of the OCSP Responder has been resolved, click OK.

6. The Select Computer dialogue box will now be populated with FQDN of the computer that is hosting the Online Responder, click OK.

7. You will then be prompted to confirm that you wish to add the array member. This dialogue box will give you one last chance to abort before the configuration of the OCSP Responder is overwritten with the configuration of the Array Controller. Click Yes to continue.

image

8. To verify the configuration expand Array Configuration in the OCSP MMC and select the name of the Responder that was just added. The Revocation Configuration Status should be the same as illustrated in the figure below.

image

Note: If you are using a manually installed certificate, such as from a Standalone CA, you will receive the error in the figure below.

image

To rectify this issue you will need to manually assign the certificate after it is installed in the Local Machine Store. Expand Array Configuration, click on the name of the OCSP Server that was just added to the Array, and Right click on the Revocation Configuration that will be using a manually assigned signing certificate. Select Assign Signing Certificate from the context menu.

image

Select the appropriate certificate, and click OK.

image

You will then get the error listed below. This error simply indicates that the OCSP Responder has not yet retrieved revocation information, so it can not verify that the configuration is correct.

image

If you would like to clear this error, Right click on Array Configuration and select Refresh Revocation Data.

image

Installing the Network Load Balancing Feature

Before you install and configure the NLB cluster, there are some key items you will need to know ahead of time:

  • What is the IP address you are going to assign to the NLB cluster?
  • What DNS name you are going to associate with this cluster?

Before you can configure the NLB Cluster, you must first install the Network Load Balancing feature on all of the OCSP Responders that will be a member of the NLB cluster.

To install the NLB feature, open a command prompt, and type ServerManagerCmd –install NLB, as illustrated below.

image

Configuring the NLB Cluster

1. Once the Network Load Balancing feature is installed, open the Network Load Balancing Manager.

2. Select Cluster from the Menu Bar, and then select New. This will start the New Cluster Wizard.

image

3. Enter the hostname of the first node and click Connect, then click Next.

4. This will open the Host Parameters page of the New Cluster Wizard. Accept the defaults and click Next.

5. Next on the Cluster IP address page of the Wizard, click Add…

6. Here you will add the IP address and subnet mask of the Load Balancer. After you enter the network information, click OK.

7. Then click Next.

8. On the Cluster Parameters page add the FQDN of the cluster in the Full Internet Name text box. Configure the Cluster Operation Mode as appropriate for your environment. In this example I have selected Unicast.

9. On the Port Rules Page click Finish.

Add Nodes to the cluster

For each node that you would like to add to the NLB cluster you will need to perform the following steps.

1. Expand Network Load Balancing Clusters in the Network Load Balancing Manager. Right click on the name of the cluster and select Add Host to Cluster from the context menu. This will start the Add Host to Cluster Wizard.

image

2. On the Connect Page of the Wizard, enter the hostname of the node you wish to add to the cluster and click Connect.

3. On the Host Parameters page click Next.

4. On the Port Rules page of the Wizard click Finish.

Conclusion

In this posting we covered implementing a highly available OCSP Responder. In the next part of this series I will be covering how to configure clients to obtain revocation information from an OCSP Responder that is not listed in the OCSP URI of the certificate.

Next part: (2012-09-13) Designing And Implementing An OCSP Responder (Part 6)

————————————————————————————————————————————————————————————————–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), Blog Post Series, Design Guides, OCSP | 1 Comment »

(2012-09-13) Designing And Implementing An OCSP Responder (Part 4)

Posted by Jorge on 2012-09-13


For a PKI project that I’m working on I wanted to refresh my mind about Microsoft OCSP. I found these great articles/posts on the ASKDS blog providing information/guidelines about designing a OCSP infrastructure. Because this stuff is SO GOOD, reposted everything here also. Of course the credits of all these posts go to the original writers from ASKDS. Also make sure to read all the comments in the original source as those have not been copied. The information in the comments is also quite useful!

Have I already said, this stuff is quite good! Smile

————————————————————————————————————————————————————————————————–

ORIGINAL SOURCE: Implementing an OCSP responder: Part IV – Configuring OCSP for use with Standalone CAs

Implementing an OCSP responder: Part IV – Configuring OCSP for use with Standalone CAs

Previous part: (2012-09-13) Designing And Implementing An OCSP Responder (Part 3)

Chris here again. In part I of this series we covered the basics of how OCSP works. We also covered the underlying reasons for deploying an OCSP Responder. In Part II we covered configuring the Certificate Authorities for whom which the OCSP Responder will check revocation status for on behalf of the clients. In Part III we covered configuring and OCSP Responder to support an Enterprise CAs. You may use Standalone CAs in your environment. In this blog post, I will be covering deploying a Revocation Configuration to support a Standalone CA.

Enterprise CAs are very tightly integrated with Active Directory. As such the certificates for the Root CA and for intermediate CAs are published to Active Directory. These certificates are automatically placed in the appropriate certificate stores on the clients. If you publish the Root CA certificate that the issuing CA chains up to; in Active Directory the clients will have that Root CA certificate published to the Trusted Root Certification Authorities container in the user and machine store. If you have not, or do not plan to deploy the Root CA certificate through Active Directory and Group Policy you will need to manually publish the Root Certificates in the Trusted Root Certification Authority store.

Installing OCSP Responder Role

The first step is to install the OCSP Responder Role.

To install the OCSP Responder: Open a command prompt and type: servermanagercmd.exe –install ADCS-Online-Cert

Requesting and Installing the OCSP Responder Signing Certificate

The next step is to request the OCSP Response Signing Certificate from the Standalone CA. Since a Standalone CA does not have certificate templates we must manually request the attributes we would like in the certificate. To do this we use a utility called certreq.exe. More information for Certreq is available here: http://technet.microsoft.com/en-us/library/cc736326.aspx.

To use certreq we must first generate a configuration file. FIgure 1 shows a sample configuration file. The key items that must be included is the OCSP Signing OID, and the OCSP No Revocation Check Extension, otherwise known as the id-pkix-ocsp-nocheck extension.

image

Let us take a look at this configuration file.

  • First we have [NewRequest] which is a required section indicating that this is for a new certificate request.
  • Then we have the subject in X.500 format. You can also use the ldap format which is derived from X.500. For example: CN=FCOCSP01,DC=Fourthcoffe,DC=Com. Alternatively, you could use just the common name, such as CN=FCOCSP01.
  • PrivateKeyArchive=False since we will not be archiving the private key.
  • Exportable=True which gives us the option to export the private key if so desired.
  • UserProtected=False which disables strong key protection.
  • MachineKeySet =True which is used to indicte that the resulting certificate will be stored in the machine store.
  • ProviderName=”Microsoft Enhanced Cryptographic Provider v1.0” specifies the Cryptographic Service Provider (CSP) that will be used.
  • UseExistingKey Set=False indicates that this request is for a new certificate, with a new key pair.
  • RequestType=CMC tells certreq to generate the request in CMC format.
  • Then we specify the new section [EnhancedKeyUsageExtension] which indicates what extensions should be placed in the EKU Extension in the certificate. Under that extension we specify that this certificate can be used for OCSP Signing by specifying the OCSP Signing OID (OID=”1.3.6.1.5.5.7.3.9).
  • We then start a new section called [Extensions] and specify that the id-pkix-ocsp-nocheck extension should be included in the certificate.

Below are the steps for generating the request and installing the signing certificate:

1. First we use certreq to generate the request file. We specify the configuration file and the output request file. The key pair for this certificate is generated at the same time the request file is created by Certreq.

image

2. Next, we must submit the request to the CA. Copy the request file over to the Standalone CA. From the Certification Authority MMC, right click on the CA Name, and select All Tasks from the context menu, and then Submit New Request.

image

3. Browse to the request file, and select Open.

4. The request will then show up in Pending Requests. Right click on the request, and select All Tasks from the context menu, then select Issue.

image

5. You will now find the requested Certificate under Issued Certificates. Double click on the certificate to view its properties.

image

6. Verify the certificate. Key things to look for here are the presence of the OCSP No Revocation Checking Extension. And that OCSP Signing is specified in the Enhanced Key Usage (EKU) Extension.

image

Exporting the Certificate from the CA

1. First select Copy to File from the Details Tab of the Certificate Properties. This will open the Certificate Export Wizard.

2. Click Next at the Welcome Screen.

3. Select DER encoded binary x.509 (.CER), and click Next.

4. Browse to the location where you which to save the resulting certificate, and give the certificate a name, and click on Save.

5. Click Finish at the Completing the Certificate Export Wizard screen.

6. You will be prompted that The export was successful. Click OK.

Installing the OCSP Response Signing Certificate

Copy the resulting certificate to the OCSP Server. Open up a command prompt. Navigate to the location where you saved the certificate file, and run certreq –accept <Certificate Name>, to complete the installation of the certificate.

image

Configuring Private Key Permissions

The Online Responder Service runs under the Network Service account. By default the Network Service account does not have access to private keys of certificates located in the Local Computer Personal store. To give the Network Service access, perform the following steps:

1. Open up the Certificates MMC targeted for the Local Computer.

2. Right click on the certificate, then select “All Tasks” from the context menu, and then select Manage Private Keys….

image

3. Click Add on the Permissions dialog box.

image

4. Type Network Service,and then click Check Names to resolve the name. Then click OK.

image

5. The Network Service only needs read permissions to the Private Key, so deselect the Allow privilege for Full Control, and verify the Allow privilege is granted for Read, and click OK.

image

Now that we have installed the OCSP Response Signing certificate, and configured Private Key permissions, we must now configure the Revocation Configuration for the CA, on the OCSP Responder. Open the OCSP Management Console. Follow the following steps to configure the Revocation Configuration:

1. Right click on Revocation Configuration, and select Add Revocation Configuration from the context menu.

image

2. This will start the Add Revocation Configuration wizard. Click Next, when presented with the Getting started with adding a revocation configuration screen.

image

3. On the Name the Revocation Configuration screen, give a name to the configuration, and click Next. Note: It is a good idea to name the configuration for the CA server, in case this Responder will be used for multiple CAs.

image

4. On the Select CA Certificate Location screen, Select a certificate from the Local certificate store, and click Next.

image

5. On the Choose CA Certificate screen, click Browse.

image

6. Select the CA certificate, for the CA you are configuring on the OCSP Responder, and click OK.

image

7. You will then be returned to the Choose CA Certificate screen. The CA that you selected will be displayed. Click Next to continue.

image

8. You will now need to select a signing certificate, on the Select Signing Certificate screen. Select Manually select a signing certificate, and click Next.

image

9. You will then be returned to the Revocation Provider screen, click Finish to complete the wizard.

Assigning the Signing Certificate

After completing the Wizard, you will notice under the “Revocation Configuration Status” portion of the “Online Responder Configuration” page that the OCSP Configuration that you just added has an error indicating “Bad Signing certificate on Array controller. No need to panic at this point. This error is generated because we have not assigned the OCSP Response Signing certificate yet.

image

Now let us go ahead and assign the Signing certificate.

1. In the OCSP MMC, expand Array Configuration, and click on the name of the OCSP Server. Then in the center pane of the console, select the appropriate Revocation Configuration, then right click on that revocation configuration, and elect Assign Signing Certificate from the context menu.

image

2. You will then be prompted select the Signing certificate. Select the appropriate Signing certificate, and click OK.

image

At this point you will now see some warnings. If you look under the Revocation Configuration Status for the Revocation Configuration you are configuring, you will notice this error:

image

Also, on the Online Responder Configuration page you will notice this error:

image

This is due to the fact that the Revocation Provider has not yet been verified. To verify the Revocation Provider, right click on Array Configuration, and select Refresh Revocation Data.

image

Once the Revocation Provider has been verified, you should see this under Revocation Configuration Status for the Revocation Configuration you are configuring.

image

And that OCSP Signing is specified in the Enhanced Key Usage (EKU) Extension.

image

Verify OCSP Configuration

To verify your ocsp configuration please follow the Verify OCSP Configuration section in Part III of this series.

Conclusion

This concludes Part IV of this Series. I hope you enjoyed the first four parts of the series and find them useful. I plan to cover other PKI topics in the near future.

Next part: (2012-09-13) Designing And Implementing An OCSP Responder (Part 5)

————————————————————————————————————————————————————————————————–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), Blog Post Series, Design Guides, OCSP | 1 Comment »

 
%d bloggers like this: