Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Configuring and Using Active Directory Certificate Services (part 2) - Finalizing the Configuration of an Online Responder

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
11/16/2011 3:27:54 PM

2. Finalizing the Configuration of an Online Responder

If you decided to use online responders, you need to finalize their configuration. You can link online responders to create an array of systems that provides high availability for the service. An array can be as simple as two CAs acting as ORs, or it can include many more servers.

To finalize the configuration of an online responder, you must configure and install an OCSP Response Signing certificate and configure an Authority Information Access (AIA) extension to support it. After this is done, you must assign the template to a CA and then enroll the system to obtain the certificate. Use the following procedure to configure the OCSP Response Signing certificate.

  1. Log on to an issuing CA server, using a domain account with local administrative access rights.

  2. In Server Manager, expand Roles\Active Directory Certificate Services and select Certificate Templates (servername).

  3. Right-click the OCSP Response Signing template and click Duplicate Template. Select a Windows Server 2008 Enterprise template and click OK.

  4. Type a valid name for the new template, such as OCSP Response Signing WS08.

  5. Select the Publish Certificate In Active Directory check box.

  6. On the Security tab, under Group Or User Names, click Add, click Object Types to enable the Computer object type, and click OK.

  7. Type the server name, and then click Check Names or browse to find the computer that hosts the online responder. Click OK.

  8. Click the computer name and then, in the Permissions section of the dialog box, select the Read, Enroll, and Autoenroll permissions in the Allow column.

  9. Click OK to create the duplicate template.

Your certificate template is ready. Now you must configure the AIA extension to support the OR.


Warning:

IMPORTANT ASSIGNING ACCESS RIGHTS

Normally, you should assign access rights to groups and not to individual objects in an AD DS directory. Because you will have several ORs, using a group makes sense. Ideally, you should create a group in AD DS, name it appropriately (for example, Online Responders), and add the computer accounts of each OR to this group. After you do that, you assign the access rights of the OCSP Response Signing template to the group instead of to the individual systems. This way, you have to assign these access rights only once.


  1. Log on to an issuing CA, using a domain account with local administrative credentials.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\Active Directory Certificate Services\Issuing CA servername.

  4. Right-click the issuing CA server in the tree pane and click Properties.

  5. On the Extensions tab, click the Select Extension drop-down list, and then choose Authority Information Access (AIA).

  6. Specify the locations to obtain certificate revocation data. In this case, select the location beginning with http://.

  7. Select the Include In The AIA Extension Of Issued Certificates and the Include In The Online Certificate Status Protocol (OCSP) Extension check boxes.

  8. Click OK to apply the changes.

  9. Note that you must stop and restart the AD CS service because of the change. Click Yes in the Certification Authority dialog box to do so.

  10. Move to the Certificate Templates node under the issuing CA name in the tree pane, right-click Certificate Templates, point to New, and then click Certificate Template To Issue.

  11. In the Enable Certificate Templates dialog box, select the new OCSP Response Signing template that you created earlier and click OK.

    The new template should appear in the details pane.

  12. You now need to verify that the OCSP certificate has been assigned to the server. You do so with the Certificates snap-in. By default, this snap-in is not in a console. You must create a new console to use it.

  13. Open the Start menu, type mmc in the search box, and press Enter.

  14. In the MMC, click Add/Remove Snap-in on the File menu to open the Add Or Remove Snap-ins dialog box.

  15. Select the Certificates snap-in and click Add.

  16. Select Computer Account and click Next.

  17. Select Local Computer and click Finish.

  18. Click OK to close the Add Or Remove Snap-ins dialog box.

  19. On the File menu, click Save to save the console and place it in your Documents folder. Name the console Computer Certificates and click Save.

  20. Expand Certificates\Personal and select Certificates.

  21. Right-click Certificates under Personal, point to All Tasks, and then click Request New Certificate.

  22. On the Certificate Enrollment page, make sure the Active Directory Enrollment Policy is selected and click Next.

  23. Select the new OCSP certificate and click Enroll.

  24. On the next page, click the down arrow to the right of Details, and then click View Certificate. Browse through the tabs to view the certificate details. Note the certificate name. Click OK.

  25. Click Finish to complete this part of the operation.

  26. Right-click the new Certificate, point to All Tasks, and then click Manage Private Keys.

  27. On the Security tab, under Group Or User Names, click Add.

  28. In the Select Users, Computers, Service Accounts, Or Groups dialog box, click Locations and select the local server name. Click OK.

  29. Type Network Service and click Check Names.

  30. Click OK.

  31. Click Network Service, and then, in the Permissions section of the dialog box, make sure the Allow::Full Control permission is selected.

  32. Click OK to close the dialog box.

Your OR is ready to provide certificate validation information.


Note:

MORE INFO ONLINE RESPONDER

For more information on the OR service, go to http://technet2.microsoft.com/windowsserver2008/en/library/045d2a97-1bff-43bd-8dea-f2df7e270e1f1033.mspx?mfr=true.


You’ll note that the Online Responder node in Server Manager also includes an Array Configuration node. When you add other ORs, you can add them to this array configuration to provide high availability of the OR service. Complex environments using multitiered hierarchies have large OR arrays to ensure that all their users and devices can easily validate their certificates.

2.1. Adding a Revocation Configuration for an Online Responder

When the OR is ready, add a revocation configuration. Because each CA that is an OR in an array includes its own certificate, each also requires a revocation configuration. The revocation configuration serves requests for specific CA key pairs and certificates. In addition, you need to update the revocation configuration for a CA each time you renew its key pair. To create a Revocation Configuration, perform the following steps:

  1. Log on to an issuing CA, using a domain account that has local administrative rights.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\Active Directory Certificate Services\Online Responder and select Revocation Configuration.

  4. Right-click Revocation Configuration and click Add Revocation Configuration.

  5. On the Welcome page, click Next.

  6. On the Name The Revocation Configuration page, assign a valid name.

    Because each revocation configuration is tied to a particular CA, it makes sense to include the CA’s name in the name of the configuration—for example, RCSERVER04.

  7. Click Next.

  8. On the Select CA Certificate Location page, identify the location from which the certificate can be loaded.

    You can choose from Active Directory, a local certificate store, or a file. Choose Select A Certificate For An Existing Enterprise CA and click Next.

    Now, the OR must validate that the issuer of the certificate, in this case the root CA, has a valid certificate. Two choices are possible: in Active Directory or by computer name.

  9. Because your root CA is offline, choose Browse CA Certificates Published In Active Directory and click Browse.

  10. Locate the root CA and click OK.

    After the certificate is selected, the wizard loads the Online Responder signing templates.

  11. Click Next.

    On the Select Signing Certificate page, you must select a signing method because the OR signs each response to clients before it sends it. Three choices are available:

    • Automatic selection loads a certificate from the OCSP template you created earlier.

    • Manually, you can choose the certificate to use.

    • CA Certificate uses the certificate from the CA itself.

    Choose Automatically Select A Signing Certificate and select Auto-Enroll For An OCSP Signing Certificate.

  12. Browse for a CA and select the issuing CA. Click OK.

    This should automatically select the certificate template you prepared earlier.

  13. Click Next.

    The wizard initializes the revocation provider. If for some reason it cannot find it, you must add the provider manually, as described in the next steps.

  14. Click Provider, and then click Add under Base CRLs. For example, you could use the following HTTP address: http://localhost/ca.crl.

  15. Click OK. Repeat the preceding step for the Delta CRLs using the same HTTP address, and click OK. However, because you are obtaining the certificate from Active Directory, the listed provider is an address in ldap:// format and should be provided automatically by the wizard. AD CS relies on Lightweight Directory Access Protocol (LDAP) to obtain information from the AD DS directory store.

  16. Click Finish to complete the revocation configuration.

You should now have a new revocation configuration listed in the details pane. Repeat this procedure for each CA that is an OR.

Other -----------------
- Windows Server 2003 : The Security Configuration Wizard
- Windows Server 2003 : Understanding Security Considerations
- Microsoft Content Management Server : Moving Postings
- Microsoft Content Management Server : Copying Postings
- Upgrading to Systems Management Server 2003 - Upgrading a Primary Site & Upgrading a Secondary Site
- Exchange Server 2007 : Securing Access to ActiveSync Using Internet Security and Acceleration (ISA) Server 2006
- Exchange Server 2007 : Working with ActiveSync Policies
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 3)
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 2)
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 1) - Create Web Listener
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server