2. Microsoft OCSP Integration Guide Preface
Preface
Š 2010 SafeNet, Inc. All rights reserved.
Part Number: 007-011100-001 (Rev A, 03/2010)
All intellectual property is protected by copyright. All trademarks and product names used or
referred to are the copyright of their respective owners. No part of this document may be
reproduced, stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, chemical, photocopy, recording or otherwise without the prior written
permission of SafeNet.
SafeNet makes no representations or warranties with respect to the contents of this document
and specifically disclaims any implied warranties of merchantability or fitness for any
particular purpose. Furthermore, SafeNet reserves the right to revise this publication and to
make changes from time to time in the content hereof without the obligation upon SafeNet to
notify any person or organization of any such revisions or changes.
SafeNet invites constructive comments on the contents of this document. These comments,
together with your personal and/or company details, should be sent to the address below.
SafeNet, Inc.
4690 Millennium Drive
Belcamp, Maryland 21017
USA
Limitations
This document does not include the steps to set up the third-party software. The steps given
in this document must be modified accordingly. Refer to Luna SA documentation for general
Luna setup procedures.
Disclaimers
The foregoing integration was performed and tested only with the specific versions of
equipment and software and only in the configuration indicated. If your setup matches exactly,
you should expect no trouble, and Customer Support can assist with any missteps. If your
setup differs, then the foregoing is merely a template and you will need to adjust the
instructions to fit your situation. Customer Support will attempt to assist, but cannot guarantee
success in setups that we have not tested.
Technical Support
If you encounter a problem while installing, registering or operating this product, please make
sure that you have read the documentation. If you cannot resolve the issue, please contact
your supplier or SafeNet support.
SafeNet support operates 24 hours a day, 7 days a week. Your level of access to this service
is governed by the support plan arrangements made between SafeNet and your organization.
Please consult this support plan for further information about your entitlements, including the
hours when telephone support is available to you.
Technical Support Contact Information:
Phone: 800-545-6608, 410-931-7520
Email: support@safenet-inc.com
Š SafeNet Inc. i
4. Microsoft OCSP Integration Guide Table of Contents
Table of Contents
Preface.............................................................................................................................................................i
Chapter 1 Introduction................................................................................................................................1
Scope ............................................................................................................................................................................. 3
Supported Platforms ...................................................................................................................................................... 3
Prerequisites: ................................................................................................................................................................. 3
Luna SA Setup:.......................................................................................................................................................... 3
Luna PCI Setup:......................................................................................................................................................... 3
Microsoft OCSP Setup: ............................................................................................................................................. 3
Chapter 2 Integrating Microsoft Online Certificate Status Protocol
with Luna SA / Luna PCI.............................................................................................................................5
Setting up Luna SA / Luna PCI for Online Certificate Status Protocol......................................................................... 5
Before you install........................................................................................................................................................... 5
1. Setting up an Enterprise Root certificate authority.............................................................................................. 9
2. Installing the Online Responder service............................................................................................................ 10
3. Configuring the CA to issue OCSP Response Signing Certificates .................................................................. 10
3.1 Configuring certificate templates for your test environment........................................................................ 10
3.2 Making OCSP only accept a SafeNet Provider. ........................................................................................... 11
3.3 Configuring the CA to support the Online Responder service ..................................................................... 12
4. Creating a revocation configuration .................................................................................................................. 12
4.1 Verifying that the signing certificate is properly configured........................................................................ 13
4.2 Modifying the Online Responder service to use Luna Hardware Security Modules.................................... 13
4.3 Setting up a revocation configuration........................................................................................................... 14
5. Verifying that OCSP works correctly................................................................................................................ 15
5.1 Generate a Certificate Request ..................................................................................................................... 15
5.2 Test the certificateâs origin........................................................................................................................... 15
5.3 Verify the OCSP Server is Active ................................................................................................................ 16
Š SafeNet Inc. iii
6. Microsoft OCSP Integration Guide Chapter 1
Introduction
Chapter 1
Introduction
This document is intended to guide security administrators through the steps for Microsoft OCSP
(Online Certificate Status Protocol) and Luna HSM integration, and also covers the necessary
information to install, configure and integrate Microsoft OCSP with SafeNet Luna Hardware Security
Modules (HSMs).
OCSP is a protocol which is used to provide real-time validation of a certificateâs status. An
OCSP responder is used to respond to certificate status requests and can issue one of the three
responses:
Valid
Invalid.
Unknown
The online responder service implements the Online Certificate Status Protocol (OCSP) by
decoding revocation status requests for specific certificates. The service evaluates the status
requests for these certificates and sends back a signed response containing the requested
certificate status information.
Understanding the Online Responder's Components
The Microsoft OCSP implementation is divided into client and server components (Figure 1). The client
component is built into the CryptoAPI 2.0 library while the server component is introduced as a new service
provided by the Active DirectoryÂŽ Certificate Services (AD CS) server role.
Figure 1: Microsoft Online Responder Components
Š SafeNet Inc. 1
7. Microsoft OCSP Integration Guide Chapter 1
Introduction
Figure 2: After integrating LunaSA/ LunaPCI
OCSP Client
The OCSP client is fully integrated into the CryptoAPI 2.0 certificate revocation infrastructure. It implements
the recommendation specified in the draft Internet Engineering Task Force (IETF) Public Key Infrastructure
X.509 (PKIX) "Lightweight OCSP Profile for High Volume Environment" and is optimized for high-volume
scenarios.
Online Responder Service
The Online Responder is a Microsoft Windows NTÂŽ service (ocspsvc.exe) that is running with Network
Service privileges. It performs the following operations:
⢠Manages the Online Responder configuration. The Online Responder provides a responder-wide
set of attributes that can be configured. These attributes include public interfaces, access control
settings, audit settings, and Web proxy cache settings. All the configuration information is stored in
the registry under
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesOCSPSvcResponder.
⢠Retrieves and caches revocation information based on configuration. Based on the revocation
configuration, the Online Responder service can retrieve and cache revocation information such as
CRLs and delta CRLs for future use. For more information, see Revocation Configuration.
⢠Signs responses. For each successful request, the Online Responder signs the response with a
pre-acquired signing key. Luna SA and Luna PCI are used here for secure and fast signing of the
response.
⢠Audits configuration changes. To conform to the Common Criteria requirements, all configuration
changes of the Online Responder can be audited. For more information about audit settings, see
Configuring the Online Responder.
2 Š SafeNet Inc.
8. Microsoft OCSP Integration Guide Chapter 1
Introduction
Revocation Configuration
A revocation configuration is a set of definitions that configure the Online Responder service to respond to a
certificate status request for a specific CA. Every Online Responder can have one or more revocation
configurations. Revocation configurations include:
⢠CA certificate
⢠Signing certificate for OCSP responses
⢠Revocation provider specific configuration
Scope
This document outlines the steps to integrate Microsoft OCSP with Luna SA / Luna PCI.
Supported Platforms
The following platforms are supported for Luna SA v4.4.1 and Luna PCI v3.0:
Windows Server 2008 R2
Prerequisites:
Luna SA Setup:
Please refer to the Luna SA documentation for installation steps and details regarding configuring and
setting up the box on Windows systems. Before you get started ensure the following:
Luna SA appliance and a secure admin password
Luna SA, and a hostname, suitable for your network
Luna SA network parameters are set to work with your network
Initialized the HSM on the Luna SA appliance.
Created and exchanged certificates between the Luna SA and your Client system.
Created a partition on the HSM, remember the partition password that will be later used by Microsoft
OCSP. Register the Client with the partition. And run the "vtl verify" command on the client system
to display a partition from Luna SA. The general form of command is C:Program FilesLuna SA > vtl
verify for Windows.
Enabled Partition "Activation" and "Auto Activation" (Partition policy settings 22 and 23 (applies to
Luna SA with Trusted Path Authentication [which is FIPS 140-2 level 3] only).
Luna PCI Setup:
Please refer to the Luna PCI documentation for installation steps and details regarding configuring and
setting up the box on Windows systems. Before you get started ensure the following:
⢠Initialize the HSM on the Luna PCI appliance
⢠Create a partition on the HSM that will be later used by Microsoft OCSP.
⢠Enable Partition "Activation" and "Auto Activation" (Partition policy settings 22 and 23 (applies to
Luna PCI with Trusted Path Authentication [which is FIPS 140-2 level 3] only).
Microsoft OCSP Setup:
Microsoft OCSP must be installed on the target machine to carry on with the integration process. For a
detailed installation procedure of Oracle database 11g, please refer to the Oracle documentation. You
need to select advance installation during the installation procedure.
The following setup is required:
Š SafeNet Inc. 3
9. Microsoft OCSP Integration Guide Chapter 1
Introduction
4 Š SafeNet Inc.
⢠1x Windows Server 2008 R2 Enterprise Edition machine, which will become a Domain Controller.
⢠1x Windows Server 2008 R2 Enterprise Edition machine, which will become a Certificate Authority and
OCSP Server.
⢠1x Windows Server 2008 R2 Enterprise Edition machine, which will become a client to submit
enrollment
requests to the CA.
⢠Domain Administrator privileges.
The three machines utilized are denoted in the setup as follows:
OCSPDC: Windows Server 2008 R2 Enterprise Edition Domain Controller machine.
OCSPCA: Windows Server 2008 R2 Enterprise Edition Certificate Authority and OCSP Server machine.
OCSPClient: Windows Server 2008 R2 Enterprise Edition client machine.
10. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
Chapter 2
Integrating Microsoft Online Certificate
Status Protocol with Luna SA / Luna PCI
Setting up Luna SA / Luna PCI for Online Certificate Status Protocol
To set up Luna HSMs for Online Certificate Status Protocol, perform the following:
Before you install
⢠KSP must be installed on the Certificate Authority and OCSP Server in a separate step following
completion of the main Luna SA / Luna PCI Client software installation.
⢠Traverse to C:Program FilesSafeNet.
⢠Run the KspConfig.exe (KSP configuration wizard).
⢠Double click Register Or View Security Library on the left side of the pane.
Š SafeNet Inc. 5
11. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
⢠Browse the library C:Program FilesLunaSAcryptoki.dll and click Register.
⢠On successful registration you will receive a message as Success registering the security library.
6 Š SafeNet Inc.
12. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
⢠Double click Register HSM Slots on the left side of the pane.
⢠Enter the Slot (Partition) password.
⢠Click on Register Slot to register the slot for DomainUser. On successful registration you will receive
Š SafeNet Inc. 7
13. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
message âThe slot was successfully and securely registeredâ.
⢠Also register the slot for NT_AUTHORITYSYSTEM under DomainUser.
8 Š SafeNet Inc.
14. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
1. Setting up an Enterprise Root certificate authority
An enterprise root CA is used to issue certificates to the Online Responder service and to client
computers, and to publish certificate information to the Active Directory Domain Services (ADDS).
a. Log on to OCSPCA as a Domain Administrator.
b. From the Start menu, select Control Panel > Administrative Tools > Server Manager.
c. In the Roles Summary section (in the right-hand part of the window), click Add Roles.
d. On the welcome screen that appears, click Next.
e. When the Select Server Roles section appears, select Active Directory Certificate Services and
click Next twice.
f. On the next screen, select the Certification Authority and click Next.
g. In the Specify Setup Type section, click Enterprise and then click Next.
h. On the Specify CA Type section, click Root CA and then click Next.
i. When the Set Up Private Key appears, select Create a new private key and click Next.
j. In the Configure Cryptography for CA section, select and set up the provider you wish to use for
the CA.
Š SafeNet Inc. 9
15. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
The following SafeNet providers are available for use (if they are installed and correctly set up,
they will be displayed in the drop-down list under the Select a Cryptographic Service Provider
heading):
- RSA#SafeNet Key Storage Provider
- DSA#SafeNet Key Storage Provider
- ECDSA_P256#SafeNet Key Storage Provider
- ECDSA_P384#SafeNet Key Storage Provider
- ECDSA_P521#SafeNet Key Storage Provider
Note: When using SafeNet providers ensure that you use a âshaâ hashing algorithm.
k. Once the provider has been selected and set up, click Next.
l. On the Configure CA Name, Set Validity Period and Certificate Database sections, accept the
default values and click Next.
m. Finally the Confirm Installation Selections section will appear. Check that everything is correct
and click Install.
n. Once the setup is complete check that there were no errors and click Close.
2. Installing the Online Responder service
a. Log on to OCSPCA as a domain administrator.
b. From the Start menu, select Control Panel > Administrative Tools > Server Manager.
c. Expand the Roles section (in the left-hand section) and click on Active Directory Certificate
Services. In the bottom right-hand section, click Add Role Services.
d. In the Select Role Services section that appears, select Online Responder. A prompt appears
asking you to install IIS 7.
e. Click Add Required Role Services and when the prompt disappears click Next twice.
f. In the Select Role Services section for Web Server (IIS), simply accept the default values and
click Next.
g. In the Confirm Installation Selections section, check that everything is correct and click Install.
h. Once the set-up is complete, check that there were no errors and click Close.
3. Configuring the CA to issue OCSP Response Signing Certificates
Configuring a CA to support Online Responder services involves configuring certificate templates
and issuing properties for OCSP Response Signing certificates. There are also other steps to be
completed on the CA so that it can support the Online Responder and certificate issuing.
3.1 Configuring certificate templates for your test environment
10 Š SafeNet Inc.
16. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
a. Log on to OCSPCA as a domain administrator.
b. From the Start menu, select Run.
c. In the Run dialog, type mmc and click OK.
d. In the mmc console that appears, select File > Add/Remove Snap-inâŚ
e. In the Add or Remove Snap-Ins dialog box, find the Certificate Templates snap-in (under the
Available snap-ins section) and select it.
f. Click Add, and then click OK.
g. Under Console Root, expand the Certificate Templates snap-in. Listed in the middle section will
be all the available certificate templates that you can make your CA issue.
h. Scroll down the list until you locate the OCSP Response Signing template, right-click it and click
Properties.
i. In the pop-up dialog that appears, click the Security tab and click Add.
j. In the Select User, Computers, or Groups dialog that appears, type the name of the machine
which is hosting the Online Responder service â in this case OCSPCA.
k. Click OK. It should not be able to locate the machine, instead another dialog will appear.
l. In this dialog, click Object Types, make sure the check-box next to Computers is selected and
click OK.
m. Now re-enter OCSPCA in the Select User, Computers, or Groups dialog, if it is not already
there, and click OK. The machine hosting the Online Responder will be added to the Group and
user names area under the Security tab.
n. Click on OCSPCA in the Group and user names area.
o. In the Permissions area, make sure that the Read and Autoenroll check boxes are ticked.
p. Click Apply and then OK.
3.2 Making OCSP only accept a SafeNet Provider.
This can only be carried out using SafeNet CNG CSP, which is referred to as the
SafeNet Key Storage Provider.
a. Log on to OCSPCA as a domain administrator.
b. From the Start menu, select Run.
c. Type mmc in the run dialog and click OK.
d. In the mmc console that appears, select File > Add/Remove Snap-inâŚ
e. In the Add or Remove Snap-Ins dialog box, find the Certificate Templates snap-in (under the
Available snap-ins section). Click it, click Add >, then click OK.
f. Click on the Certificate Templates snap-in under Console Root and expand it. Listed in the
middle section will be all the available certificate templates that you can make your CA issue.
Scroll down the list until you locate the OCSP Response Signing template.
g. Right-click the OCSP Response Signing template and click Properties.
Š SafeNet Inc. 11
17. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
h. On the pop-up dialog that appears, click on the Cryptography tab.
i. By default, a radio button should be selected with Requests can use any provider on the clients
machine next to it. Below this should be another radio button with Requests must use one of the
following providers beside it. Select this radio button so that it becomes active.
j. A box below the two radio buttons becomes active. In this box select SafeNet Key Storage
Provider.
k. Click Apply and then OK.
3.3 Configuring the CA to support the Online Responder service
a. Log on to OCSPCA as a domain administrator.
b. From the Start menu select Control Panel > Administrative Tools > Certification Authority.
c. In the console tree (left-hand section), click on the CA. (It has a computer and a green tick next
to it.)
d. Navigate to the Action menu and click Properties.
e. Select the Extensions tab. In the Select extension list, click Authority Information Access (AIA).
f. Click Add and in the Add Location dialog type under Location.
g. http://<nameofcomputerhostingOCSPhere>/ocsp. For example, the address when using
OCSPCA would be http://OCSPCA/ocsp.
h. Click OK.
i. On the Extensions tab:
- Ensure that the URL that was just added to the locations area is highlighted.
- Ensure that the check-boxes next to âInclude in the AIA extension of issued certificatesâ and
âInclude in the online certificate status protocol (OCSP) extensionâ are ticked.
j. Click Apply and let the service restart.
k. Click OK.
l. In console tree of the Certification Authority snap-in, right-click Certificate Templates, and then
click New Certificate Templates to Issue.
m. In Enable Certificates Templates, select the OCSP Response Signing template and any other
certificate templates you configured previously, then click OK.
n. Open Certificate Templates in the Certification Authority and verify that the modified certificate
templates appear in the list.
4. Creating a revocation configuration
A revocation configuration includes all of the settings that are needed to respond to status requests
regarding certificates that have been issued by using a specific CA key.
12 Š SafeNet Inc.
18. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
4.1 Verifying that the signing certificate is properly configured
a. Restart OCSPCA to enroll for certificates and make sure that the templates are correctly
registered.
b. Log on to OCSPCA as a domain administrator.
c. From the Start menu, select Run
d. In the run dialog type mmc and click OK.
e. In the mmc console that appears, select File > Add/Remove Snap-inâŚ
f. In the Add or Remove Snap-Ins pop-up dialog that appears, find the Certificates snap-in
(under the Available snap-ins section).
g. Click on the snap-in and click Add.
h. In the dialog that appears, select the Computer Account radio button, then click Next.
i. In the Select Computer dialog, ensure that Local Computer is selected and click Finish.
j. Click OK.
k. Under the Console Root, expand the Certificates heading.
l. Select the Personal folder and expand it.
m. Select the Certificates folders. In the right hand pane, a certificate should appear.
n. If there are numerous certificates, pick the one which matches your machine name. In the
case of OCSPCA the certificate name will be something like OCSPCA-CA.
o. Right-click on the certificate and click Properties.
p. Under the General tab in the dialog box that appears, there is a section named Certificate
Purposes.
q. The radio button next to Enable all purposes for this certificate will be selected by default; this
needs to be changed. Hover over the radio button next to Enable only the following purposes
and select it.
r. Click Apply and then OK.
4.2 Modifying the Online Responder service to use Luna Hardware Security Modules.
To use OCSP in conjunction with Luna HSMs, the Online Responder service must be changed so
an HSM can be used to protect the OCSP signing keys.
a. Log on to OCSPCA as a domain administrator.
b. From the Start menu select Control Panel > Administrative Tools > Services.
c. Locate the Online Responder Service in the list of services.
d. Right-click on the Online Responder Service and select Properties.
e. In the dialog box that appears select the Log on tab.
Š SafeNet Inc. 13
19. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
f. Under the Log on as heading, hover over the radio button next to Local System account and
click the heading Allow service to interact with desktop becomes active with a check box next to
it.
g. Select the check box.
h. Click Apply and then OK.
i. Back in the services window, right-click on the Online Responder Service and click Restart.
4.3 Setting up a revocation configuration
a. Log on to OCSPCA as a domain administrator.
b. From the Start menu select Control Panel > Administrative Tools > Online Responder
Management.
c. In the left-hand pane click Revocation Configuration.
d. In the right-hand pane, under Actions, click Add Revocation Configuration.
e. In the dialog box that appears, click Next on the âGetting started with adding a revocation
configuration section.
f. In the âName the Revocation Configurationâ section, type a name for the configuration in the text
box. (For this walkthrough we will use Test.) Then click Next.
g. In the âSelect CA Certificate Locationâ section, ensure that the radio button next to âSelect a
certificate for an Existing enterprise CAâ is selected and click Next.
h. In the âChoose CA Certificateâ section, ensure that the radio button next to âBrowse CA
certificates published in Active Directoryâ is selected and then click Browse.
i. In the Select Certification Authority dialog box that appears, select the CA authority (in this case
OCSPCA) and click OK. Then click Next.
j. In the Select Signing Certificate section, ignore the default settings; instead make sure the radio
button next to âManually select a signing certificateâ is selected, and click Next.
k. In the Revocation Provider section, click Finish. Once the wizard has completed, the status of
the Online Responder will be shown in the Revocation Configuration Status box. It should say
âBad Signing on Array Controllerâ.
l. To fix this, click on Array Configuration in the left hand pane and expand it.
m. In the directory tree should be listed the CA that is being used, in this case OCSPCA.
n. Click on this.
o. Listed in the middle section should be the revocation configuration that was just created, in this
case Test.
p. In the right pane, locate âAssign a signing certificateâ and click on it. Listed in the dialog box that
appears should be the certificate that was setup earlier.
q. Click on this and click OK.
r. Back in the Online Responder Management tool, under Actions in the right-hand section, click
Refresh.
14 Š SafeNet Inc.
20. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
s. In the left-hand pane click on Online Responder: Computer Name and check that the
Revocation Configuration Status is shown as Working.
5. Verifying that OCSP works correctly
5.1 Generate a Certificate Request
a. Log on to the OCSPClient machine and generate some certificate requests using the template
structure below. (Try to use different vendorsâ cryptographic service providers.)
[Version]
Signature = â$Windows NT$â
[NewRequest]
Subject = âC=IN,CN=OCSPClientâ
HashAlgorithm = SHA1
KeyAlgorithm = RSA
KeyLength = 1024
ProviderName = âProvider that will be used hereâ
KeyUsage = 0xf0
MachineKeySet = True
RequestType = PKCS10
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
[Extensions]
1.3.6.1.5.5.7.48.1.5 = Empty
b. Copy and paste the above template into a Notepad file making sure that the ProviderName
variable is filled in correctly (with the speech marks around it).
c. Once the template has been successfully setup save it as test.inf on C: drive.
d. Open up a command prompt and goto the local drive, in this case C:. Type in the command
prompt certreq ânew test.inf test.req a certificate request called test.req will be generated and
placed on C: drive.
e. Next, type into the command prompt certreq âsubmit âattrib âCertificateTemplate:WebServerâ
test.req a box will appear asking which CA to use. Click the OCSPCA entry and click OK. A file
dialog will appear asking to save the certificate to a file.
f. Type in the File Name textbox test and click OK. After a short pause a message saying
Certificate Successfully Generated will appear on the command prompt and a certificate file
called test.cer will appear on C: drive.
5.2 Test the certificateâs origin
a. Now log on to OCSPCA and go to the Certification Authority tool by browsing to Start > Control
Panel > Administrative Tools > Certification Authority.
b. In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority
(Computer)/CA name/Revoked Certificates in the console tree. Then, right-click on the on the
Revoked Certificates folder, point to All Tasks, and click Publish.
c. Open the Certification Authority snap-in and right-click on the CA, to remove all CRL distribution
point extensions from the issuing CA.
d. In the pop-up menu that appears, click Properties.
Š SafeNet Inc. 15
21. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
e. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).
f. Click any CRL distribution points that are listed, click Remove, and click OK.
g. Now click Apply. A pop-up box will appear saying you need to restart the service.
h. Click OK and watch the service restart.
i. Using the certificate called test.cer that was generated earlier on the OCSPClient machine,
verify that clients can still obtain revocation data. To do this, at a command prompt on
OCSPClient, type: certutil -url test.cer
j. In the URL Retrieval Tool dialog box that appears, click the radio button next to CRLs (From
CDP) and click Retrieve. The list should be empty.
k. Click the radio button next to OCSP (From AIA) and click Retrieve. The list should contain an
OCSP entry showing the web address of your OCSP server. If it is working correctly, the word
Verified should appear in the first column in the list.
l. Click the radio button next to Certs (from AIA) and click Retrieve. One or two entries should be
listed, with Verified next to them. If Certificate Authority Web Enrollment is not installed on the
CA, an entry with AIA may display as Failed. However, as long as one of the entries in the Certs
(from AIA) section reads Verified there should be no problems with the set-up.
5.3 Verify the OCSP Server is Active
a. Open up a command prompt and select the local drive, in this case C:. Type in the command
prompt certutil âverify test.cer > test.txt.
b. When the Verify command has been completed, open the test.txt file on C: drive. It should
contain information of this kind:
Issuer:
CN=LunaOCSP-OCSPCA-CA
DC=LunaOCSP
DC=com
Subject:
CN=OCSPClient
C=IN
Cert Serial Number: 6165202e000000000002
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
(0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 14 Minutes, 35 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 14 Minutes, 35 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com
NotBefore: 2/23/2010 3:04 AM
NotAfter: 2/23/2012 3:04 AM
16 Š SafeNet Inc.
22. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
Subject: CN=OCSPClient, C=IN
Serial: 6165202e000000000002
Template: WebServer
57 74 00 3f e4 37 97 87 de c3 19 67 53 68 ab ed ee 19 1c 00
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 02:
Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com
79 ab 66 69 d0 f1 7c a0 fa 6a fc a9 12 5a 37 5c 97 ad 28 9d
Delta CRL 02:
Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com
6b a4 ad ba 47 ce 6a fb 8e 4c 2c ac 97 5d f3 dc 24 4a ee d0
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com
NotBefore: 2/22/2010 9:29 PM
NotAfter: 2/22/2015 9:39 PM
Subject: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com
Serial: 4a5e361fb0efa3844bed61bde4bcf7c2
6a a9 1a 14 21 12 19 49 f7 de 87 cc 5a 56 4d ae 83 31 cb 1a
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
f3 3f 43 dd dd 8e 07 8d 49 20 87 a8 a9 a0 b5 12 cb d8 87 41
Full chain:
43 13 27 df 64 d7 43 b0 88 f7 4d 97 1b 50 0a 46 8e ca 36 fb
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
c. Ensure that the last part of the verify commands output reads something like this:
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
This shows that the OCSP Server is working correctly and there were no errors. The most important
part of the above example is the Leaf certificate revocation check passed line as this shows the
OCSP server is returning the certificate status as âGoodâ. If the log generated by the verify command
does not include the above section (or something like it) and contains errors in main body of the
output, like the example below,
restart the OCSP server and client machine and re-run the verify command on the certificate file.
Š SafeNet Inc. 17
23. Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
18 Š SafeNet Inc.
References
1. Installing, Configuring, and Troubleshooting the Online Responder (Microsoft's OCSP
Responder)
http://technet2.microsoft.com/windowsserver2008/en/library/045d2a97-1bff-43bd-8dea-
f2df7e270e1f1033.mspx?mfr=true
2. Implementing Online Certificate Status Protocol
http://hosteddocs.ittoolbox.com/TB100104.pdf
3. Windows Server 2008 Active Directory Certificate Services Step-By-Step Guide
http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx