Microsoft OCSP Integration Guide PrefacePreface© 2010 SafeNet, Inc. All rights reserved.Part Number: 007-011100-001 (Rev A...
Microsoft OCSP Integration Guide Prefaceii © SafeNet Inc.
Microsoft OCSP Integration Guide Table of ContentsTable of ContentsPreface...................................................
Microsoft OCSP Integration Guide Table of Contentsiv © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 1IntroductionChapter 1IntroductionThis document is intended to guide security adm...
Microsoft OCSP Integration Guide Chapter 1IntroductionFigure 2: After integrating LunaSA/ LunaPCIOCSP ClientThe OCSP clien...
Microsoft OCSP Integration Guide Chapter 1IntroductionRevocation ConfigurationA revocation configuration is a set of defin...
Microsoft OCSP Integration Guide Chapter 1Introduction4 © SafeNet Inc.• 1x Windows Server 2008 R2 Enterprise Edition machi...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI...
Microsoft OCSP LUNA SA PCI Integration Guide
Upcoming SlideShare
Loading in …5
×

Microsoft OCSP LUNA SA PCI Integration Guide

1,589 views

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,589
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Microsoft OCSP LUNA SA PCI Integration Guide

  1. 1. Microsoft OCSP Integration Guide PrefacePreface© 2010 SafeNet, Inc. All rights reserved.Part Number: 007-011100-001 (Rev A, 03/2010)All intellectual property is protected by copyright. All trademarks and product names used orreferred to are the copyright of their respective owners. No part of this document may bereproduced, stored in a retrieval system or transmitted in any form or by any means,electronic, mechanical, chemical, photocopy, recording or otherwise without the prior writtenpermission of SafeNet.SafeNet makes no representations or warranties with respect to the contents of this documentand specifically disclaims any implied warranties of merchantability or fitness for anyparticular purpose. Furthermore, SafeNet reserves the right to revise this publication and tomake changes from time to time in the content hereof without the obligation upon SafeNet tonotify any person or organization of any such revisions or changes.SafeNet invites constructive comments on the contents of this document. These comments,together with your personal and/or company details, should be sent to the address below.SafeNet, Inc.4690 Millennium DriveBelcamp, Maryland 21017USALimitationsThis document does not include the steps to set up the third-party software. The steps givenin this document must be modified accordingly. Refer to Luna SA documentation for generalLuna setup procedures.DisclaimersThe foregoing integration was performed and tested only with the specific versions ofequipment and software and only in the configuration indicated. If your setup matches exactly,you should expect no trouble, and Customer Support can assist with any missteps. If yoursetup differs, then the foregoing is merely a template and you will need to adjust theinstructions to fit your situation. Customer Support will attempt to assist, but cannot guaranteesuccess in setups that we have not tested.Technical SupportIf you encounter a problem while installing, registering or operating this product, please makesure that you have read the documentation. If you cannot resolve the issue, please contactyour supplier or SafeNet support.SafeNet support operates 24 hours a day, 7 days a week. Your level of access to this serviceis governed by the support plan arrangements made between SafeNet and your organization.Please consult this support plan for further information about your entitlements, including thehours when telephone support is available to you.Technical Support Contact Information:Phone: 800-545-6608, 410-931-7520Email: support@safenet-inc.com© SafeNet Inc. i
  2. 2. Microsoft OCSP Integration Guide Prefaceii © SafeNet Inc.
  3. 3. Microsoft OCSP Integration Guide Table of ContentsTable of ContentsPreface.............................................................................................................................................................iChapter 1 Introduction................................................................................................................................1Scope ............................................................................................................................................................................. 3Supported Platforms ...................................................................................................................................................... 3Prerequisites: ................................................................................................................................................................. 3Luna SA Setup:.......................................................................................................................................................... 3Luna PCI Setup:......................................................................................................................................................... 3Microsoft OCSP Setup: ............................................................................................................................................. 3Chapter 2 Integrating Microsoft Online Certificate Status Protocolwith Luna SA / Luna PCI.............................................................................................................................5Setting up Luna SA / Luna PCI for Online Certificate Status Protocol......................................................................... 5Before you install........................................................................................................................................................... 51. Setting up an Enterprise Root certificate authority.............................................................................................. 92. Installing the Online Responder service............................................................................................................ 103. Configuring the CA to issue OCSP Response Signing Certificates .................................................................. 103.1 Configuring certificate templates for your test environment........................................................................ 103.2 Making OCSP only accept a SafeNet Provider. ........................................................................................... 113.3 Configuring the CA to support the Online Responder service ..................................................................... 124. Creating a revocation configuration .................................................................................................................. 124.1 Verifying that the signing certificate is properly configured........................................................................ 134.2 Modifying the Online Responder service to use Luna Hardware Security Modules.................................... 134.3 Setting up a revocation configuration........................................................................................................... 145. Verifying that OCSP works correctly................................................................................................................ 155.1 Generate a Certificate Request ..................................................................................................................... 155.2 Test the certificate’s origin........................................................................................................................... 155.3 Verify the OCSP Server is Active ................................................................................................................ 16© SafeNet Inc. iii
  4. 4. Microsoft OCSP Integration Guide Table of Contentsiv © SafeNet Inc.
  5. 5. Microsoft OCSP Integration Guide Chapter 1IntroductionChapter 1IntroductionThis document is intended to guide security administrators through the steps for Microsoft OCSP(Online Certificate Status Protocol) and Luna HSM integration, and also covers the necessaryinformation to install, configure and integrate Microsoft OCSP with SafeNet Luna Hardware SecurityModules (HSMs).OCSP is a protocol which is used to provide real-time validation of a certificate’s status. AnOCSP responder is used to respond to certificate status requests and can issue one of the threeresponses:ValidInvalid.UnknownThe online responder service implements the Online Certificate Status Protocol (OCSP) bydecoding revocation status requests for specific certificates. The service evaluates the statusrequests for these certificates and sends back a signed response containing the requestedcertificate status information.Understanding the Online Responders ComponentsThe Microsoft OCSP implementation is divided into client and server components (Figure 1). The clientcomponent is built into the CryptoAPI 2.0 library while the server component is introduced as a new serviceprovided by the Active Directory® Certificate Services (AD CS) server role.Figure 1: Microsoft Online Responder Components© SafeNet Inc. 1
  6. 6. Microsoft OCSP Integration Guide Chapter 1IntroductionFigure 2: After integrating LunaSA/ LunaPCIOCSP ClientThe OCSP client is fully integrated into the CryptoAPI 2.0 certificate revocation infrastructure. It implementsthe recommendation specified in the draft Internet Engineering Task Force (IETF) Public Key InfrastructureX.509 (PKIX) "Lightweight OCSP Profile for High Volume Environment" and is optimized for high-volumescenarios.Online Responder ServiceThe Online Responder is a Microsoft Windows NT® service (ocspsvc.exe) that is running with NetworkService privileges. It performs the following operations:• Manages the Online Responder configuration. The Online Responder provides a responder-wideset of attributes that can be configured. These attributes include public interfaces, access controlsettings, audit settings, and Web proxy cache settings. All the configuration information is stored inthe registry underHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesOCSPSvcResponder.• Retrieves and caches revocation information based on configuration. Based on the revocationconfiguration, the Online Responder service can retrieve and cache revocation information such asCRLs and delta CRLs for future use. For more information, see Revocation Configuration.• Signs responses. For each successful request, the Online Responder signs the response with apre-acquired signing key. Luna SA and Luna PCI are used here for secure and fast signing of theresponse.• Audits configuration changes. To conform to the Common Criteria requirements, all configurationchanges of the Online Responder can be audited. For more information about audit settings, seeConfiguring the Online Responder.2 © SafeNet Inc.
  7. 7. Microsoft OCSP Integration Guide Chapter 1IntroductionRevocation ConfigurationA revocation configuration is a set of definitions that configure the Online Responder service to respond to acertificate status request for a specific CA. Every Online Responder can have one or more revocationconfigurations. Revocation configurations include:• CA certificate• Signing certificate for OCSP responses• Revocation provider specific configurationScopeThis document outlines the steps to integrate Microsoft OCSP with Luna SA / Luna PCI.Supported PlatformsThe following platforms are supported for Luna SA v4.4.1 and Luna PCI v3.0:Windows Server 2008 R2Prerequisites:Luna SA Setup:Please refer to the Luna SA documentation for installation steps and details regarding configuring andsetting up the box on Windows systems. Before you get started ensure the following:Luna SA appliance and a secure admin passwordLuna SA, and a hostname, suitable for your networkLuna SA network parameters are set to work with your networkInitialized the HSM on the Luna SA appliance.Created and exchanged certificates between the Luna SA and your Client system.Created a partition on the HSM, remember the partition password that will be later used by MicrosoftOCSP. Register the Client with the partition. And run the "vtl verify" command on the client systemto display a partition from Luna SA. The general form of command is C:Program FilesLuna SA > vtlverify for Windows.Enabled Partition "Activation" and "Auto Activation" (Partition policy settings 22 and 23 (applies toLuna SA with Trusted Path Authentication [which is FIPS 140-2 level 3] only).Luna PCI Setup:Please refer to the Luna PCI documentation for installation steps and details regarding configuring andsetting up the box on Windows systems. Before you get started ensure the following:• Initialize the HSM on the Luna PCI appliance• Create a partition on the HSM that will be later used by Microsoft OCSP.• Enable Partition "Activation" and "Auto Activation" (Partition policy settings 22 and 23 (applies toLuna PCI with Trusted Path Authentication [which is FIPS 140-2 level 3] only).Microsoft OCSP Setup:Microsoft OCSP must be installed on the target machine to carry on with the integration process. For adetailed installation procedure of Oracle database 11g, please refer to the Oracle documentation. Youneed to select advance installation during the installation procedure.The following setup is required:© SafeNet Inc. 3
  8. 8. Microsoft OCSP Integration Guide Chapter 1Introduction4 © SafeNet Inc.• 1x Windows Server 2008 R2 Enterprise Edition machine, which will become a Domain Controller.• 1x Windows Server 2008 R2 Enterprise Edition machine, which will become a Certificate Authority andOCSP Server.• 1x Windows Server 2008 R2 Enterprise Edition machine, which will become a client to submitenrollmentrequests to the CA.• Domain Administrator privileges.The three machines utilized are denoted in the setup as follows:OCSPDC: Windows Server 2008 R2 Enterprise Edition Domain Controller machine.OCSPCA: Windows Server 2008 R2 Enterprise Edition Certificate Authority and OCSP Server machine.OCSPClient: Windows Server 2008 R2 Enterprise Edition client machine.
  9. 9. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCIChapter 2Integrating Microsoft Online CertificateStatus Protocol with Luna SA / Luna PCISetting up Luna SA / Luna PCI for Online Certificate Status ProtocolTo set up Luna HSMs for Online Certificate Status Protocol, perform the following:Before you install• KSP must be installed on the Certificate Authority and OCSP Server in a separate step followingcompletion of the main Luna SA / Luna PCI Client software installation.• Traverse to C:Program FilesSafeNet.• Run the KspConfig.exe (KSP configuration wizard).• Double click Register Or View Security Library on the left side of the pane.© SafeNet Inc. 5
  10. 10. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI• Browse the library C:Program FilesLunaSAcryptoki.dll and click Register.• On successful registration you will receive a message as Success registering the security library.6 © SafeNet Inc.
  11. 11. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI• Double click Register HSM Slots on the left side of the pane.• Enter the Slot (Partition) password.• Click on Register Slot to register the slot for DomainUser. On successful registration you will receive© SafeNet Inc. 7
  12. 12. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCImessage “The slot was successfully and securely registered”.• Also register the slot for NT_AUTHORITYSYSTEM under DomainUser.8 © SafeNet Inc.
  13. 13. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI1. Setting up an Enterprise Root certificate authorityAn enterprise root CA is used to issue certificates to the Online Responder service and to clientcomputers, and to publish certificate information to the Active Directory Domain Services (ADDS).a. Log on to OCSPCA as a Domain Administrator.b. From the Start menu, select Control Panel > Administrative Tools > Server Manager.c. In the Roles Summary section (in the right-hand part of the window), click Add Roles.d. On the welcome screen that appears, click Next.e. When the Select Server Roles section appears, select Active Directory Certificate Services andclick Next twice.f. On the next screen, select the Certification Authority and click Next.g. In the Specify Setup Type section, click Enterprise and then click Next.h. On the Specify CA Type section, click Root CA and then click Next.i. When the Set Up Private Key appears, select Create a new private key and click Next.j. In the Configure Cryptography for CA section, select and set up the provider you wish to use forthe CA.© SafeNet Inc. 9
  14. 14. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCIThe following SafeNet providers are available for use (if they are installed and correctly set up,they will be displayed in the drop-down list under the Select a Cryptographic Service Providerheading):- RSA#SafeNet Key Storage Provider- DSA#SafeNet Key Storage Provider- ECDSA_P256#SafeNet Key Storage Provider- ECDSA_P384#SafeNet Key Storage Provider- ECDSA_P521#SafeNet Key Storage ProviderNote: When using SafeNet providers ensure that you use a ‘sha’ hashing algorithm.k. Once the provider has been selected and set up, click Next.l. On the Configure CA Name, Set Validity Period and Certificate Database sections, accept thedefault values and click Next.m. Finally the Confirm Installation Selections section will appear. Check that everything is correctand click Install.n. Once the setup is complete check that there were no errors and click Close.2. Installing the Online Responder servicea. Log on to OCSPCA as a domain administrator.b. From the Start menu, select Control Panel > Administrative Tools > Server Manager.c. Expand the Roles section (in the left-hand section) and click on Active Directory CertificateServices. In the bottom right-hand section, click Add Role Services.d. In the Select Role Services section that appears, select Online Responder. A prompt appearsasking you to install IIS 7.e. Click Add Required Role Services and when the prompt disappears click Next twice.f. In the Select Role Services section for Web Server (IIS), simply accept the default values andclick Next.g. In the Confirm Installation Selections section, check that everything is correct and click Install.h. Once the set-up is complete, check that there were no errors and click Close.3. Configuring the CA to issue OCSP Response Signing CertificatesConfiguring a CA to support Online Responder services involves configuring certificate templatesand issuing properties for OCSP Response Signing certificates. There are also other steps to becompleted on the CA so that it can support the Online Responder and certificate issuing.3.1 Configuring certificate templates for your test environment10 © SafeNet Inc.
  15. 15. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCIa. Log on to OCSPCA as a domain administrator.b. From the Start menu, select Run.c. In the Run dialog, type mmc and click OK.d. In the mmc console that appears, select File > Add/Remove Snap-in…e. In the Add or Remove Snap-Ins dialog box, find the Certificate Templates snap-in (under theAvailable snap-ins section) and select it.f. Click Add, and then click OK.g. Under Console Root, expand the Certificate Templates snap-in. Listed in the middle section willbe all the available certificate templates that you can make your CA issue.h. Scroll down the list until you locate the OCSP Response Signing template, right-click it and clickProperties.i. In the pop-up dialog that appears, click the Security tab and click Add.j. In the Select User, Computers, or Groups dialog that appears, type the name of the machinewhich is hosting the Online Responder service — in this case OCSPCA.k. Click OK. It should not be able to locate the machine, instead another dialog will appear.l. In this dialog, click Object Types, make sure the check-box next to Computers is selected andclick OK.m. Now re-enter OCSPCA in the Select User, Computers, or Groups dialog, if it is not alreadythere, and click OK. The machine hosting the Online Responder will be added to the Group anduser names area under the Security tab.n. Click on OCSPCA in the Group and user names area.o. In the Permissions area, make sure that the Read and Autoenroll check boxes are ticked.p. Click Apply and then OK.3.2 Making OCSP only accept a SafeNet Provider.This can only be carried out using SafeNet CNG CSP, which is referred to as theSafeNet Key Storage Provider.a. Log on to OCSPCA as a domain administrator.b. From the Start menu, select Run.c. Type mmc in the run dialog and click OK.d. In the mmc console that appears, select File > Add/Remove Snap-in…e. In the Add or Remove Snap-Ins dialog box, find the Certificate Templates snap-in (under theAvailable snap-ins section). Click it, click Add >, then click OK.f. Click on the Certificate Templates snap-in under Console Root and expand it. Listed in themiddle section will be all the available certificate templates that you can make your CA issue.Scroll down the list until you locate the OCSP Response Signing template.g. Right-click the OCSP Response Signing template and click Properties.© SafeNet Inc. 11
  16. 16. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCIh. On the pop-up dialog that appears, click on the Cryptography tab.i. By default, a radio button should be selected with Requests can use any provider on the clientsmachine next to it. Below this should be another radio button with Requests must use one of thefollowing providers beside it. Select this radio button so that it becomes active.j. A box below the two radio buttons becomes active. In this box select SafeNet Key StorageProvider.k. Click Apply and then OK.3.3 Configuring the CA to support the Online Responder servicea. Log on to OCSPCA as a domain administrator.b. From the Start menu select Control Panel > Administrative Tools > Certification Authority.c. In the console tree (left-hand section), click on the CA. (It has a computer and a green tick nextto it.)d. Navigate to the Action menu and click Properties.e. Select the Extensions tab. In the Select extension list, click Authority Information Access (AIA).f. Click Add and in the Add Location dialog type under Location.g. http://<nameofcomputerhostingOCSPhere>/ocsp. For example, the address when usingOCSPCA would be http://OCSPCA/ocsp.h. Click OK.i. On the Extensions tab:- Ensure that the URL that was just added to the locations area is highlighted.- Ensure that the check-boxes next to “Include in the AIA extension of issued certificates” and“Include in the online certificate status protocol (OCSP) extension” are ticked.j. Click Apply and let the service restart.k. Click OK.l. In console tree of the Certification Authority snap-in, right-click Certificate Templates, and thenclick New Certificate Templates to Issue.m. In Enable Certificates Templates, select the OCSP Response Signing template and any othercertificate templates you configured previously, then click OK.n. Open Certificate Templates in the Certification Authority and verify that the modified certificatetemplates appear in the list.4. Creating a revocation configurationA revocation configuration includes all of the settings that are needed to respond to status requestsregarding certificates that have been issued by using a specific CA key.12 © SafeNet Inc.
  17. 17. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI4.1 Verifying that the signing certificate is properly configureda. Restart OCSPCA to enroll for certificates and make sure that the templates are correctlyregistered.b. Log on to OCSPCA as a domain administrator.c. From the Start menu, select Rund. In the run dialog type mmc and click OK.e. In the mmc console that appears, select File > Add/Remove Snap-in…f. In the Add or Remove Snap-Ins pop-up dialog that appears, find the Certificates snap-in(under the Available snap-ins section).g. Click on the snap-in and click Add.h. In the dialog that appears, select the Computer Account radio button, then click Next.i. In the Select Computer dialog, ensure that Local Computer is selected and click Finish.j. Click OK.k. Under the Console Root, expand the Certificates heading.l. Select the Personal folder and expand it.m. Select the Certificates folders. In the right hand pane, a certificate should appear.n. If there are numerous certificates, pick the one which matches your machine name. In thecase of OCSPCA the certificate name will be something like OCSPCA-CA.o. Right-click on the certificate and click Properties.p. Under the General tab in the dialog box that appears, there is a section named CertificatePurposes.q. The radio button next to Enable all purposes for this certificate will be selected by default; thisneeds to be changed. Hover over the radio button next to Enable only the following purposesand select it.r. Click Apply and then OK.4.2 Modifying the Online Responder service to use Luna Hardware Security Modules.To use OCSP in conjunction with Luna HSMs, the Online Responder service must be changed soan HSM can be used to protect the OCSP signing keys.a. Log on to OCSPCA as a domain administrator.b. From the Start menu select Control Panel > Administrative Tools > Services.c. Locate the Online Responder Service in the list of services.d. Right-click on the Online Responder Service and select Properties.e. In the dialog box that appears select the Log on tab.© SafeNet Inc. 13
  18. 18. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCIf. Under the Log on as heading, hover over the radio button next to Local System account andclick the heading Allow service to interact with desktop becomes active with a check box next toit.g. Select the check box.h. Click Apply and then OK.i. Back in the services window, right-click on the Online Responder Service and click Restart.4.3 Setting up a revocation configurationa. Log on to OCSPCA as a domain administrator.b. From the Start menu select Control Panel > Administrative Tools > Online ResponderManagement.c. In the left-hand pane click Revocation Configuration.d. In the right-hand pane, under Actions, click Add Revocation Configuration.e. In the dialog box that appears, click Next on the “Getting started with adding a revocationconfiguration section.f. In the “Name the Revocation Configuration” section, type a name for the configuration in the textbox. (For this walkthrough we will use Test.) Then click Next.g. In the “Select CA Certificate Location” section, ensure that the radio button next to “Select acertificate for an Existing enterprise CA” is selected and click Next.h. In the “Choose CA Certificate” section, ensure that the radio button next to “Browse CAcertificates published in Active Directory” is selected and then click Browse.i. In the Select Certification Authority dialog box that appears, select the CA authority (in this caseOCSPCA) and click OK. Then click Next.j. In the Select Signing Certificate section, ignore the default settings; instead make sure the radiobutton next to “Manually select a signing certificate” is selected, and click Next.k. In the Revocation Provider section, click Finish. Once the wizard has completed, the status ofthe Online Responder will be shown in the Revocation Configuration Status box. It should say“Bad Signing on Array Controller”.l. To fix this, click on Array Configuration in the left hand pane and expand it.m. In the directory tree should be listed the CA that is being used, in this case OCSPCA.n. Click on this.o. Listed in the middle section should be the revocation configuration that was just created, in thiscase Test.p. In the right pane, locate “Assign a signing certificate” and click on it. Listed in the dialog box thatappears should be the certificate that was setup earlier.q. Click on this and click OK.r. Back in the Online Responder Management tool, under Actions in the right-hand section, clickRefresh.14 © SafeNet Inc.
  19. 19. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCIs. In the left-hand pane click on Online Responder: Computer Name and check that theRevocation Configuration Status is shown as Working.5. Verifying that OCSP works correctly5.1 Generate a Certificate Requesta. Log on to the OCSPClient machine and generate some certificate requests using the templatestructure below. (Try to use different vendors’ cryptographic service providers.)[Version]Signature = “$Windows NT$”[NewRequest]Subject = “C=IN,CN=OCSPClient”HashAlgorithm = SHA1KeyAlgorithm = RSAKeyLength = 1024ProviderName = “Provider that will be used here”KeyUsage = 0xf0MachineKeySet = TrueRequestType = PKCS10[EnhancedKeyUsageExtension]OID = 1.3.6.1.5.5.7.3.1[Extensions]1.3.6.1.5.5.7.48.1.5 = Emptyb. Copy and paste the above template into a Notepad file making sure that the ProviderNamevariable is filled in correctly (with the speech marks around it).c. Once the template has been successfully setup save it as test.inf on C: drive.d. Open up a command prompt and goto the local drive, in this case C:. Type in the commandprompt certreq –new test.inf test.req a certificate request called test.req will be generated andplaced on C: drive.e. Next, type into the command prompt certreq –submit –attrib “CertificateTemplate:WebServer”test.req a box will appear asking which CA to use. Click the OCSPCA entry and click OK. A filedialog will appear asking to save the certificate to a file.f. Type in the File Name textbox test and click OK. After a short pause a message sayingCertificate Successfully Generated will appear on the command prompt and a certificate filecalled test.cer will appear on C: drive.5.2 Test the certificate’s origina. Now log on to OCSPCA and go to the Certification Authority tool by browsing to Start > ControlPanel > Administrative Tools > Certification Authority.b. In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority(Computer)/CA name/Revoked Certificates in the console tree. Then, right-click on the on theRevoked Certificates folder, point to All Tasks, and click Publish.c. Open the Certification Authority snap-in and right-click on the CA, to remove all CRL distributionpoint extensions from the issuing CA.d. In the pop-up menu that appears, click Properties.© SafeNet Inc. 15
  20. 20. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCIe. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).f. Click any CRL distribution points that are listed, click Remove, and click OK.g. Now click Apply. A pop-up box will appear saying you need to restart the service.h. Click OK and watch the service restart.i. Using the certificate called test.cer that was generated earlier on the OCSPClient machine,verify that clients can still obtain revocation data. To do this, at a command prompt onOCSPClient, type: certutil -url test.cerj. In the URL Retrieval Tool dialog box that appears, click the radio button next to CRLs (FromCDP) and click Retrieve. The list should be empty.k. Click the radio button next to OCSP (From AIA) and click Retrieve. The list should contain anOCSP entry showing the web address of your OCSP server. If it is working correctly, the wordVerified should appear in the first column in the list.l. Click the radio button next to Certs (from AIA) and click Retrieve. One or two entries should belisted, with Verified next to them. If Certificate Authority Web Enrollment is not installed on theCA, an entry with AIA may display as Failed. However, as long as one of the entries in the Certs(from AIA) section reads Verified there should be no problems with the set-up.5.3 Verify the OCSP Server is Activea. Open up a command prompt and select the local drive, in this case C:. Type in the commandprompt certutil –verify test.cer > test.txt.b. When the Verify command has been completed, open the test.txt file on C: drive. It shouldcontain information of this kind:Issuer:CN=LunaOCSP-OCSPCA-CADC=LunaOCSPDC=comSubject:CN=OCSPClientC=INCert Serial Number: 6165202e000000000002dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT(0x40000000)HCCE_LOCAL_MACHINECERT_CHAIN_POLICY_BASE-------- CERT_CHAIN_CONTEXT --------ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)ChainContext.dwRevocationFreshnessTime: 14 Minutes, 35 SecondsSimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)SimpleChain.dwRevocationFreshnessTime: 14 Minutes, 35 SecondsCertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=comNotBefore: 2/23/2010 3:04 AMNotAfter: 2/23/2012 3:04 AM16 © SafeNet Inc.
  21. 21. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCISubject: CN=OCSPClient, C=INSerial: 6165202e000000000002Template: WebServer57 74 00 3f e4 37 97 87 de c3 19 67 53 68 ab ed ee 19 1c 00Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)CRL 02:Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com79 ab 66 69 d0 f1 7c a0 fa 6a fc a9 12 5a 37 5c 97 ad 28 9dDelta CRL 02:Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com6b a4 ad ba 47 ce 6a fb 8e 4c 2c ac 97 5d f3 dc 24 4a ee d0Application[0] = 1.3.6.1.5.5.7.3.1 Server AuthenticationCertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=comNotBefore: 2/22/2010 9:29 PMNotAfter: 2/22/2015 9:39 PMSubject: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=comSerial: 4a5e361fb0efa3844bed61bde4bcf7c26a a9 1a 14 21 12 19 49 f7 de 87 cc 5a 56 4d ae 83 31 cb 1aElement.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)Exclude leaf cert:f3 3f 43 dd dd 8e 07 8d 49 20 87 a8 a9 a0 b5 12 cb d8 87 41Full chain:43 13 27 df 64 d7 43 b0 88 f7 4d 97 1b 50 0a 46 8e ca 36 fb------------------------------------Verified Issuance Policies: NoneVerified Application Policies:1.3.6.1.5.5.7.3.1 Server AuthenticationLeaf certificate revocation check passedCertUtil: -verify command completed successfully.c. Ensure that the last part of the verify commands output reads something like this:Verified Issuance Policies: NoneVerified Application Policies:1.3.6.1.5.5.7.3.1 Server AuthenticationLeaf certificate revocation check passedCertUtil: -verify command completed successfully.This shows that the OCSP Server is working correctly and there were no errors. The most importantpart of the above example is the Leaf certificate revocation check passed line as this shows theOCSP server is returning the certificate status as ‘Good’. If the log generated by the verify commanddoes not include the above section (or something like it) and contains errors in main body of theoutput, like the example below,restart the OCSP server and client machine and re-run the verify command on the certificate file.© SafeNet Inc. 17
  22. 22. Microsoft OCSP Integration Guide Chapter 2Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI18 © SafeNet Inc.References1. Installing, Configuring, and Troubleshooting the Online Responder (Microsofts OCSPResponder)http://technet2.microsoft.com/windowsserver2008/en/library/045d2a97-1bff-43bd-8dea-f2df7e270e1f1033.mspx?mfr=true2. Implementing Online Certificate Status Protocolhttp://hosteddocs.ittoolbox.com/TB100104.pdf3. Windows Server 2008 Active Directory Certificate Services Step-By-Step Guidehttp://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx

×