SlideShare a Scribd company logo

Microsoft OCSP LUNA SA PCI Integration Guide

•
•
Chris x-MS
Chris x-MS
BusinessTechnology
1 of 23
Download to read offline
Microsoft OCSP Integration Guide Preface Preface Š 2010 SafeNet, Inc. All rights reserved. Part Number: 007-011100-001 (Rev A, 03/2010) All intellectual property is protected by copyright. All trademarks and product names used or referred to are the copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or otherwise without the prior written permission of SafeNet. SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify any person or organization of any such revisions or changes. SafeNet invites constructive comments on the contents of this document. These comments, together with your personal and/or company details, should be sent to the address below. SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017 USA Limitations This document does not include the steps to set up the third-party software. The steps given in this document must be modified accordingly. Refer to Luna SA documentation for general Luna setup procedures. Disclaimers The foregoing integration was performed and tested only with the specific versions of equipment and software and only in the configuration indicated. If your setup matches exactly, you should expect no trouble, and Customer Support can assist with any missteps. If your setup differs, then the foregoing is merely a template and you will need to adjust the instructions to fit your situation. Customer Support will attempt to assist, but cannot guarantee success in setups that we have not tested. Technical Support If you encounter a problem while installing, registering or operating this product, please make sure that you have read the documentation. If you cannot resolve the issue, please contact your supplier or SafeNet support. SafeNet support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between SafeNet and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you. Technical Support Contact Information: Phone: 800-545-6608, 410-931-7520 Email: support@safenet-inc.com Š SafeNet Inc. i
Microsoft OCSP Integration Guide Preface ii Š SafeNet Inc.
Microsoft OCSP Integration Guide Table of Contents Table of Contents Preface.............................................................................................................................................................i Chapter 1 Introduction................................................................................................................................1 Scope ............................................................................................................................................................................. 3 Supported Platforms ...................................................................................................................................................... 3 Prerequisites: ................................................................................................................................................................. 3 Luna SA Setup:.......................................................................................................................................................... 3 Luna PCI Setup:......................................................................................................................................................... 3 Microsoft OCSP Setup: ............................................................................................................................................. 3 Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI.............................................................................................................................5 Setting up Luna SA / Luna PCI for Online Certificate Status Protocol......................................................................... 5 Before you install........................................................................................................................................................... 5 1. Setting up an Enterprise Root certificate authority.............................................................................................. 9 2. Installing the Online Responder service............................................................................................................ 10 3. Configuring the CA to issue OCSP Response Signing Certificates .................................................................. 10 3.1 Configuring certificate templates for your test environment........................................................................ 10 3.2 Making OCSP only accept a SafeNet Provider. ........................................................................................... 11 3.3 Configuring the CA to support the Online Responder service ..................................................................... 12 4. Creating a revocation configuration .................................................................................................................. 12 4.1 Verifying that the signing certificate is properly configured........................................................................ 13 4.2 Modifying the Online Responder service to use Luna Hardware Security Modules.................................... 13 4.3 Setting up a revocation configuration........................................................................................................... 14 5. Verifying that OCSP works correctly................................................................................................................ 15 5.1 Generate a Certificate Request ..................................................................................................................... 15 5.2 Test the certificate’s origin........................................................................................................................... 15 5.3 Verify the OCSP Server is Active ................................................................................................................ 16 © SafeNet Inc. iii
Microsoft OCSP Integration Guide Table of Contents iv Š SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 1 Introduction Chapter 1 Introduction This document is intended to guide security administrators through the steps for Microsoft OCSP (Online Certificate Status Protocol) and Luna HSM integration, and also covers the necessary information to install, configure and integrate Microsoft OCSP with SafeNet Luna Hardware Security Modules (HSMs). OCSP is a protocol which is used to provide real-time validation of a certificate’s status. An OCSP responder is used to respond to certificate status requests and can issue one of the three responses: Valid Invalid. Unknown The online responder service implements the Online Certificate Status Protocol (OCSP) by decoding revocation status requests for specific certificates. The service evaluates the status requests for these certificates and sends back a signed response containing the requested certificate status information. Understanding the Online Responder's Components The Microsoft OCSP implementation is divided into client and server components (Figure 1). The client component is built into the CryptoAPI 2.0 library while the server component is introduced as a new service provided by the Active Directory® Certificate Services (AD CS) server role. Figure 1: Microsoft Online Responder Components © SafeNet Inc. 1
Microsoft OCSP Integration Guide Chapter 1 Introduction Figure 2: After integrating LunaSA/ LunaPCI OCSP Client The OCSP client is fully integrated into the CryptoAPI 2.0 certificate revocation infrastructure. It implements the recommendation specified in the draft Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (PKIX) "Lightweight OCSP Profile for High Volume Environment" and is optimized for high-volume scenarios. Online Responder Service The Online Responder is a Microsoft Windows NT® service (ocspsvc.exe) that is running with Network Service privileges. It performs the following operations: • Manages the Online Responder configuration. The Online Responder provides a responder-wide set of attributes that can be configured. These attributes include public interfaces, access control settings, audit settings, and Web proxy cache settings. All the configuration information is stored in the registry under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesOCSPSvcResponder. • Retrieves and caches revocation information based on configuration. Based on the revocation configuration, the Online Responder service can retrieve and cache revocation information such as CRLs and delta CRLs for future use. For more information, see Revocation Configuration. • Signs responses. For each successful request, the Online Responder signs the response with a pre-acquired signing key. Luna SA and Luna PCI are used here for secure and fast signing of the response. • Audits configuration changes. To conform to the Common Criteria requirements, all configuration changes of the Online Responder can be audited. For more information about audit settings, see Configuring the Online Responder. 2 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 1 Introduction Revocation Configuration A revocation configuration is a set of definitions that configure the Online Responder service to respond to a certificate status request for a specific CA. Every Online Responder can have one or more revocation configurations. Revocation configurations include: • CA certificate • Signing certificate for OCSP responses • Revocation provider specific configuration Scope This document outlines the steps to integrate Microsoft OCSP with Luna SA / Luna PCI. Supported Platforms The following platforms are supported for Luna SA v4.4.1 and Luna PCI v3.0: Windows Server 2008 R2 Prerequisites: Luna SA Setup: Please refer to the Luna SA documentation for installation steps and details regarding configuring and setting up the box on Windows systems. Before you get started ensure the following: Luna SA appliance and a secure admin password Luna SA, and a hostname, suitable for your network Luna SA network parameters are set to work with your network Initialized the HSM on the Luna SA appliance. Created and exchanged certificates between the Luna SA and your Client system. Created a partition on the HSM, remember the partition password that will be later used by Microsoft OCSP. Register the Client with the partition. And run the "vtl verify" command on the client system to display a partition from Luna SA. The general form of command is C:Program FilesLuna SA > vtl verify for Windows. Enabled Partition "Activation" and "Auto Activation" (Partition policy settings 22 and 23 (applies to Luna SA with Trusted Path Authentication [which is FIPS 140-2 level 3] only). Luna PCI Setup: Please refer to the Luna PCI documentation for installation steps and details regarding configuring and setting up the box on Windows systems. Before you get started ensure the following: • Initialize the HSM on the Luna PCI appliance • Create a partition on the HSM that will be later used by Microsoft OCSP. • Enable Partition "Activation" and "Auto Activation" (Partition policy settings 22 and 23 (applies to Luna PCI with Trusted Path Authentication [which is FIPS 140-2 level 3] only). Microsoft OCSP Setup: Microsoft OCSP must be installed on the target machine to carry on with the integration process. For a detailed installation procedure of Oracle database 11g, please refer to the Oracle documentation. You need to select advance installation during the installation procedure. The following setup is required: © SafeNet Inc. 3
Microsoft OCSP Integration Guide Chapter 1 Introduction 4 © SafeNet Inc. • 1x Windows Server 2008 R2 Enterprise Edition machine, which will become a Domain Controller. • 1x Windows Server 2008 R2 Enterprise Edition machine, which will become a Certificate Authority and OCSP Server. • 1x Windows Server 2008 R2 Enterprise Edition machine, which will become a client to submit enrollment requests to the CA. • Domain Administrator privileges. The three machines utilized are denoted in the setup as follows: OCSPDC: Windows Server 2008 R2 Enterprise Edition Domain Controller machine. OCSPCA: Windows Server 2008 R2 Enterprise Edition Certificate Authority and OCSP Server machine. OCSPClient: Windows Server 2008 R2 Enterprise Edition client machine.
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI Setting up Luna SA / Luna PCI for Online Certificate Status Protocol To set up Luna HSMs for Online Certificate Status Protocol, perform the following: Before you install • KSP must be installed on the Certificate Authority and OCSP Server in a separate step following completion of the main Luna SA / Luna PCI Client software installation. • Traverse to C:Program FilesSafeNet. • Run the KspConfig.exe (KSP configuration wizard). • Double click Register Or View Security Library on the left side of the pane. © SafeNet Inc. 5
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI • Browse the library C:Program FilesLunaSAcryptoki.dll and click Register. • On successful registration you will receive a message as Success registering the security library. 6 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI • Double click Register HSM Slots on the left side of the pane. • Enter the Slot (Partition) password. • Click on Register Slot to register the slot for DomainUser. On successful registration you will receive © SafeNet Inc. 7
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI message “The slot was successfully and securely registered”. • Also register the slot for NT_AUTHORITYSYSTEM under DomainUser. 8 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI 1. Setting up an Enterprise Root certificate authority An enterprise root CA is used to issue certificates to the Online Responder service and to client computers, and to publish certificate information to the Active Directory Domain Services (ADDS). a. Log on to OCSPCA as a Domain Administrator. b. From the Start menu, select Control Panel > Administrative Tools > Server Manager. c. In the Roles Summary section (in the right-hand part of the window), click Add Roles. d. On the welcome screen that appears, click Next. e. When the Select Server Roles section appears, select Active Directory Certificate Services and click Next twice. f. On the next screen, select the Certification Authority and click Next. g. In the Specify Setup Type section, click Enterprise and then click Next. h. On the Specify CA Type section, click Root CA and then click Next. i. When the Set Up Private Key appears, select Create a new private key and click Next. j. In the Configure Cryptography for CA section, select and set up the provider you wish to use for the CA. Š SafeNet Inc. 9
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI The following SafeNet providers are available for use (if they are installed and correctly set up, they will be displayed in the drop-down list under the Select a Cryptographic Service Provider heading): - RSA#SafeNet Key Storage Provider - DSA#SafeNet Key Storage Provider - ECDSA_P256#SafeNet Key Storage Provider - ECDSA_P384#SafeNet Key Storage Provider - ECDSA_P521#SafeNet Key Storage Provider Note: When using SafeNet providers ensure that you use a ‘sha’ hashing algorithm. k. Once the provider has been selected and set up, click Next. l. On the Configure CA Name, Set Validity Period and Certificate Database sections, accept the default values and click Next. m. Finally the Confirm Installation Selections section will appear. Check that everything is correct and click Install. n. Once the setup is complete check that there were no errors and click Close. 2. Installing the Online Responder service a. Log on to OCSPCA as a domain administrator. b. From the Start menu, select Control Panel > Administrative Tools > Server Manager. c. Expand the Roles section (in the left-hand section) and click on Active Directory Certificate Services. In the bottom right-hand section, click Add Role Services. d. In the Select Role Services section that appears, select Online Responder. A prompt appears asking you to install IIS 7. e. Click Add Required Role Services and when the prompt disappears click Next twice. f. In the Select Role Services section for Web Server (IIS), simply accept the default values and click Next. g. In the Confirm Installation Selections section, check that everything is correct and click Install. h. Once the set-up is complete, check that there were no errors and click Close. 3. Configuring the CA to issue OCSP Response Signing Certificates Configuring a CA to support Online Responder services involves configuring certificate templates and issuing properties for OCSP Response Signing certificates. There are also other steps to be completed on the CA so that it can support the Online Responder and certificate issuing. 3.1 Configuring certificate templates for your test environment 10 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI a. Log on to OCSPCA as a domain administrator. b. From the Start menu, select Run. c. In the Run dialog, type mmc and click OK. d. In the mmc console that appears, select File > Add/Remove Snap-in… e. In the Add or Remove Snap-Ins dialog box, find the Certificate Templates snap-in (under the Available snap-ins section) and select it. f. Click Add, and then click OK. g. Under Console Root, expand the Certificate Templates snap-in. Listed in the middle section will be all the available certificate templates that you can make your CA issue. h. Scroll down the list until you locate the OCSP Response Signing template, right-click it and click Properties. i. In the pop-up dialog that appears, click the Security tab and click Add. j. In the Select User, Computers, or Groups dialog that appears, type the name of the machine which is hosting the Online Responder service — in this case OCSPCA. k. Click OK. It should not be able to locate the machine, instead another dialog will appear. l. In this dialog, click Object Types, make sure the check-box next to Computers is selected and click OK. m. Now re-enter OCSPCA in the Select User, Computers, or Groups dialog, if it is not already there, and click OK. The machine hosting the Online Responder will be added to the Group and user names area under the Security tab. n. Click on OCSPCA in the Group and user names area. o. In the Permissions area, make sure that the Read and Autoenroll check boxes are ticked. p. Click Apply and then OK. 3.2 Making OCSP only accept a SafeNet Provider. This can only be carried out using SafeNet CNG CSP, which is referred to as the SafeNet Key Storage Provider. a. Log on to OCSPCA as a domain administrator. b. From the Start menu, select Run. c. Type mmc in the run dialog and click OK. d. In the mmc console that appears, select File > Add/Remove Snap-in… e. In the Add or Remove Snap-Ins dialog box, find the Certificate Templates snap-in (under the Available snap-ins section). Click it, click Add >, then click OK. f. Click on the Certificate Templates snap-in under Console Root and expand it. Listed in the middle section will be all the available certificate templates that you can make your CA issue. Scroll down the list until you locate the OCSP Response Signing template. g. Right-click the OCSP Response Signing template and click Properties. © SafeNet Inc. 11
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI h. On the pop-up dialog that appears, click on the Cryptography tab. i. By default, a radio button should be selected with Requests can use any provider on the clients machine next to it. Below this should be another radio button with Requests must use one of the following providers beside it. Select this radio button so that it becomes active. j. A box below the two radio buttons becomes active. In this box select SafeNet Key Storage Provider. k. Click Apply and then OK. 3.3 Configuring the CA to support the Online Responder service a. Log on to OCSPCA as a domain administrator. b. From the Start menu select Control Panel > Administrative Tools > Certification Authority. c. In the console tree (left-hand section), click on the CA. (It has a computer and a green tick next to it.) d. Navigate to the Action menu and click Properties. e. Select the Extensions tab. In the Select extension list, click Authority Information Access (AIA). f. Click Add and in the Add Location dialog type under Location. g. http://<nameofcomputerhostingOCSPhere>/ocsp. For example, the address when using OCSPCA would be http://OCSPCA/ocsp. h. Click OK. i. On the Extensions tab: - Ensure that the URL that was just added to the locations area is highlighted. - Ensure that the check-boxes next to “Include in the AIA extension of issued certificates” and “Include in the online certificate status protocol (OCSP) extension” are ticked. j. Click Apply and let the service restart. k. Click OK. l. In console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue. m. In Enable Certificates Templates, select the OCSP Response Signing template and any other certificate templates you configured previously, then click OK. n. Open Certificate Templates in the Certification Authority and verify that the modified certificate templates appear in the list. 4. Creating a revocation configuration A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued by using a specific CA key. 12 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI 4.1 Verifying that the signing certificate is properly configured a. Restart OCSPCA to enroll for certificates and make sure that the templates are correctly registered. b. Log on to OCSPCA as a domain administrator. c. From the Start menu, select Run d. In the run dialog type mmc and click OK. e. In the mmc console that appears, select File > Add/Remove Snap-in… f. In the Add or Remove Snap-Ins pop-up dialog that appears, find the Certificates snap-in (under the Available snap-ins section). g. Click on the snap-in and click Add. h. In the dialog that appears, select the Computer Account radio button, then click Next. i. In the Select Computer dialog, ensure that Local Computer is selected and click Finish. j. Click OK. k. Under the Console Root, expand the Certificates heading. l. Select the Personal folder and expand it. m. Select the Certificates folders. In the right hand pane, a certificate should appear. n. If there are numerous certificates, pick the one which matches your machine name. In the case of OCSPCA the certificate name will be something like OCSPCA-CA. o. Right-click on the certificate and click Properties. p. Under the General tab in the dialog box that appears, there is a section named Certificate Purposes. q. The radio button next to Enable all purposes for this certificate will be selected by default; this needs to be changed. Hover over the radio button next to Enable only the following purposes and select it. r. Click Apply and then OK. 4.2 Modifying the Online Responder service to use Luna Hardware Security Modules. To use OCSP in conjunction with Luna HSMs, the Online Responder service must be changed so an HSM can be used to protect the OCSP signing keys. a. Log on to OCSPCA as a domain administrator. b. From the Start menu select Control Panel > Administrative Tools > Services. c. Locate the Online Responder Service in the list of services. d. Right-click on the Online Responder Service and select Properties. e. In the dialog box that appears select the Log on tab. © SafeNet Inc. 13
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI f. Under the Log on as heading, hover over the radio button next to Local System account and click the heading Allow service to interact with desktop becomes active with a check box next to it. g. Select the check box. h. Click Apply and then OK. i. Back in the services window, right-click on the Online Responder Service and click Restart. 4.3 Setting up a revocation configuration a. Log on to OCSPCA as a domain administrator. b. From the Start menu select Control Panel > Administrative Tools > Online Responder Management. c. In the left-hand pane click Revocation Configuration. d. In the right-hand pane, under Actions, click Add Revocation Configuration. e. In the dialog box that appears, click Next on the “Getting started with adding a revocation configuration section. f. In the “Name the Revocation Configuration” section, type a name for the configuration in the text box. (For this walkthrough we will use Test.) Then click Next. g. In the “Select CA Certificate Location” section, ensure that the radio button next to “Select a certificate for an Existing enterprise CA” is selected and click Next. h. In the “Choose CA Certificate” section, ensure that the radio button next to “Browse CA certificates published in Active Directory” is selected and then click Browse. i. In the Select Certification Authority dialog box that appears, select the CA authority (in this case OCSPCA) and click OK. Then click Next. j. In the Select Signing Certificate section, ignore the default settings; instead make sure the radio button next to “Manually select a signing certificate” is selected, and click Next. k. In the Revocation Provider section, click Finish. Once the wizard has completed, the status of the Online Responder will be shown in the Revocation Configuration Status box. It should say “Bad Signing on Array Controller”. l. To fix this, click on Array Configuration in the left hand pane and expand it. m. In the directory tree should be listed the CA that is being used, in this case OCSPCA. n. Click on this. o. Listed in the middle section should be the revocation configuration that was just created, in this case Test. p. In the right pane, locate “Assign a signing certificate” and click on it. Listed in the dialog box that appears should be the certificate that was setup earlier. q. Click on this and click OK. r. Back in the Online Responder Management tool, under Actions in the right-hand section, click Refresh. 14 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI s. In the left-hand pane click on Online Responder: Computer Name and check that the Revocation Configuration Status is shown as Working. 5. Verifying that OCSP works correctly 5.1 Generate a Certificate Request a. Log on to the OCSPClient machine and generate some certificate requests using the template structure below. (Try to use different vendors’ cryptographic service providers.) [Version] Signature = “$Windows NT$” [NewRequest] Subject = “C=IN,CN=OCSPClient” HashAlgorithm = SHA1 KeyAlgorithm = RSA KeyLength = 1024 ProviderName = “Provider that will be used here” KeyUsage = 0xf0 MachineKeySet = True RequestType = PKCS10 [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 [Extensions] 1.3.6.1.5.5.7.48.1.5 = Empty b. Copy and paste the above template into a Notepad file making sure that the ProviderName variable is filled in correctly (with the speech marks around it). c. Once the template has been successfully setup save it as test.inf on C: drive. d. Open up a command prompt and goto the local drive, in this case C:. Type in the command prompt certreq –new test.inf test.req a certificate request called test.req will be generated and placed on C: drive. e. Next, type into the command prompt certreq –submit –attrib “CertificateTemplate:WebServer” test.req a box will appear asking which CA to use. Click the OCSPCA entry and click OK. A file dialog will appear asking to save the certificate to a file. f. Type in the File Name textbox test and click OK. After a short pause a message saying Certificate Successfully Generated will appear on the command prompt and a certificate file called test.cer will appear on C: drive. 5.2 Test the certificate’s origin a. Now log on to OCSPCA and go to the Certification Authority tool by browsing to Start > Control Panel > Administrative Tools > Certification Authority. b. In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, right-click on the on the Revoked Certificates folder, point to All Tasks, and click Publish. c. Open the Certification Authority snap-in and right-click on the CA, to remove all CRL distribution point extensions from the issuing CA. d. In the pop-up menu that appears, click Properties. © SafeNet Inc. 15
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI e. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP). f. Click any CRL distribution points that are listed, click Remove, and click OK. g. Now click Apply. A pop-up box will appear saying you need to restart the service. h. Click OK and watch the service restart. i. Using the certificate called test.cer that was generated earlier on the OCSPClient machine, verify that clients can still obtain revocation data. To do this, at a command prompt on OCSPClient, type: certutil -url test.cer j. In the URL Retrieval Tool dialog box that appears, click the radio button next to CRLs (From CDP) and click Retrieve. The list should be empty. k. Click the radio button next to OCSP (From AIA) and click Retrieve. The list should contain an OCSP entry showing the web address of your OCSP server. If it is working correctly, the word Verified should appear in the first column in the list. l. Click the radio button next to Certs (from AIA) and click Retrieve. One or two entries should be listed, with Verified next to them. If Certificate Authority Web Enrollment is not installed on the CA, an entry with AIA may display as Failed. However, as long as one of the entries in the Certs (from AIA) section reads Verified there should be no problems with the set-up. 5.3 Verify the OCSP Server is Active a. Open up a command prompt and select the local drive, in this case C:. Type in the command prompt certutil –verify test.cer > test.txt. b. When the Verify command has been completed, open the test.txt file on C: drive. It should contain information of this kind: Issuer: CN=LunaOCSP-OCSPCA-CA DC=LunaOCSP DC=com Subject: CN=OCSPClient C=IN Cert Serial Number: 6165202e000000000002 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 14 Minutes, 35 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 14 Minutes, 35 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com NotBefore: 2/23/2010 3:04 AM NotAfter: 2/23/2012 3:04 AM 16 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI Subject: CN=OCSPClient, C=IN Serial: 6165202e000000000002 Template: WebServer 57 74 00 3f e4 37 97 87 de c3 19 67 53 68 ab ed ee 19 1c 00 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CRL 02: Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com 79 ab 66 69 d0 f1 7c a0 fa 6a fc a9 12 5a 37 5c 97 ad 28 9d Delta CRL 02: Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com 6b a4 ad ba 47 ce 6a fb 8e 4c 2c ac 97 5d f3 dc 24 4a ee d0 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com NotBefore: 2/22/2010 9:29 PM NotAfter: 2/22/2015 9:39 PM Subject: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com Serial: 4a5e361fb0efa3844bed61bde4bcf7c2 6a a9 1a 14 21 12 19 49 f7 de 87 cc 5a 56 4d ae 83 31 cb 1a Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: f3 3f 43 dd dd 8e 07 8d 49 20 87 a8 a9 a0 b5 12 cb d8 87 41 Full chain: 43 13 27 df 64 d7 43 b0 88 f7 4d 97 1b 50 0a 46 8e ca 36 fb ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully. c. Ensure that the last part of the verify commands output reads something like this: Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully. This shows that the OCSP Server is working correctly and there were no errors. The most important part of the above example is the Leaf certificate revocation check passed line as this shows the OCSP server is returning the certificate status as ‘Good’. If the log generated by the verify command does not include the above section (or something like it) and contains errors in main body of the output, like the example below, restart the OCSP server and client machine and re-run the verify command on the certificate file. © SafeNet Inc. 17
Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI 18 Š SafeNet Inc. References 1. Installing, Configuring, and Troubleshooting the Online Responder (Microsoft's OCSP Responder) http://technet2.microsoft.com/windowsserver2008/en/library/045d2a97-1bff-43bd-8dea- f2df7e270e1f1033.mspx?mfr=true 2. Implementing Online Certificate Status Protocol http://hosteddocs.ittoolbox.com/TB100104.pdf 3. Windows Server 2008 Active Directory Certificate Services Step-By-Step Guide http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx

Recommended

Haider-Server Aministrator
Haider-Server AministratorHaider-Server Aministrator
Haider-Server AministratorHaider Ali
 
Active directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfActive directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfBilguun Ganbat
 
Active directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfActive directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfsandeep updahayay
 
Security Guide for Oracle Fusion - E10543
Security Guide for Oracle Fusion - E10543Security Guide for Oracle Fusion - E10543
Security Guide for Oracle Fusion - E10543aakash2meet
 
E29632
E29632E29632
E29632ssfdsdsf
 
Oracle database 12c client installation guide
Oracle database 12c client installation guideOracle database 12c client installation guide
Oracle database 12c client installation guidebupbechanhgmail
 
Oracle database 12c client installation overview
Oracle database 12c client installation overviewOracle database 12c client installation overview
Oracle database 12c client installation overviewbupbechanhgmail
 
Esm rel notes_v5.2
Esm rel notes_v5.2Esm rel notes_v5.2
Esm rel notes_v5.2Protect724
 

Recommended

Haider-Server Aministrator
Haider-Server AministratorHaider-Server Aministrator
Haider-Server AministratorHaider Ali
 
Active directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfActive directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfBilguun Ganbat
 
Active directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfActive directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfsandeep updahayay
 
Security Guide for Oracle Fusion - E10543
Security Guide for Oracle Fusion - E10543Security Guide for Oracle Fusion - E10543
Security Guide for Oracle Fusion - E10543aakash2meet
 
E29632
E29632E29632
E29632ssfdsdsf
 
Oracle database 12c client installation guide
Oracle database 12c client installation guideOracle database 12c client installation guide
Oracle database 12c client installation guidebupbechanhgmail
 
Oracle database 12c client installation overview
Oracle database 12c client installation overviewOracle database 12c client installation overview
Oracle database 12c client installation overviewbupbechanhgmail
 
Esm rel notes_v5.2
Esm rel notes_v5.2Esm rel notes_v5.2
Esm rel notes_v5.2Protect724
 
OracleÂŽ database 2 days security guide e10575
OracleÂŽ database 2 days security guide e10575OracleÂŽ database 2 days security guide e10575
OracleÂŽ database 2 days security guide e10575imranshahid7861
 
havcs-410-101 a-2-10-srt-_pg_1
havcs-410-101 a-2-10-srt-_pg_1havcs-410-101 a-2-10-srt-_pg_1
havcs-410-101 a-2-10-srt-_pg_1raryal
 
TECHNICAL WHITE PAPER: Bare Metal & Dissimilar Hardware Recovery with Backup ...
TECHNICAL WHITE PAPER: Bare Metal & Dissimilar Hardware Recovery with Backup ...TECHNICAL WHITE PAPER: Bare Metal & Dissimilar Hardware Recovery with Backup ...
TECHNICAL WHITE PAPER: Bare Metal & Dissimilar Hardware Recovery with Backup ...Symantec
 
Oracle database 12c application express installation guide
Oracle database 12c application express installation guideOracle database 12c application express installation guide
Oracle database 12c application express installation guidebupbechanhgmail
 
havcs-410-101 a-2-10-srt-pg_4
havcs-410-101 a-2-10-srt-pg_4havcs-410-101 a-2-10-srt-pg_4
havcs-410-101 a-2-10-srt-pg_4raryal
 
Oracle9
Oracle9Oracle9
Oracle9Guille Anaya
 
E49462 01
E49462 01E49462 01
E49462 01Wilfred Mbithi Luvai
 
OracleÂŽ Trading Community Architecture
OracleÂŽ Trading Community ArchitectureOracleÂŽ Trading Community Architecture
OracleÂŽ Trading Community ArchitectureOracle Groups
 
HPE Matrix Operating Environment 7.5 Recovery Management User Guide
HPE Matrix Operating Environment 7.5 Recovery Management User GuideHPE Matrix Operating Environment 7.5 Recovery Management User Guide
HPE Matrix Operating Environment 7.5 Recovery Management User GuideVictor Rocha
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guidewebhostingguy
 
Oracle 10g release 1
Oracle 10g release 1Oracle 10g release 1
Oracle 10g release 1Rakesh Kumar Pandey
 
APM81SP1_RevA_Installation_Book
APM81SP1_RevA_Installation_BookAPM81SP1_RevA_Installation_Book
APM81SP1_RevA_Installation_BookDavid_Tickner
 
NovellÂŽ iChainÂŽ 2.3
NovellÂŽ iChainÂŽ 2.3NovellÂŽ iChainÂŽ 2.3
NovellÂŽ iChainÂŽ 2.3webhostingguy
 
Workbench en
Workbench enWorkbench en
Workbench enMeenakshi Chandrasekaran
 
Sanjeev Kumar
Sanjeev KumarSanjeev Kumar
Sanjeev KumarSanjeev Rana
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidationwebhostingguy
 
Resume
Resume Resume
Resume siva shankar
 
Zeeshan Alam_ Resume
Zeeshan Alam_ Resume Zeeshan Alam_ Resume
Zeeshan Alam_ Resume Zeeshan Alam
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaSecurity Date
 
Docu91844
Docu91844Docu91844
Docu91844Sys Ov
 
Ad cs-step-by-step-guide
Ad cs-step-by-step-guideAd cs-step-by-step-guide
Ad cs-step-by-step-guideValentĂ­n SĂĄnchez de MovellĂĄn
 
Microsoft India - System Center Controlling Costs and Driving Agility Whitepaper
Microsoft India - System Center Controlling Costs and Driving Agility WhitepaperMicrosoft India - System Center Controlling Costs and Driving Agility Whitepaper
Microsoft India - System Center Controlling Costs and Driving Agility WhitepaperMicrosoft Private Cloud
 

More Related Content

What's hot

OracleÂŽ database 2 days security guide e10575
OracleÂŽ database 2 days security guide e10575OracleÂŽ database 2 days security guide e10575
OracleÂŽ database 2 days security guide e10575imranshahid7861
 
havcs-410-101 a-2-10-srt-_pg_1
havcs-410-101 a-2-10-srt-_pg_1havcs-410-101 a-2-10-srt-_pg_1
havcs-410-101 a-2-10-srt-_pg_1raryal
 
TECHNICAL WHITE PAPER: Bare Metal & Dissimilar Hardware Recovery with Backup ...
TECHNICAL WHITE PAPER: Bare Metal & Dissimilar Hardware Recovery with Backup ...TECHNICAL WHITE PAPER: Bare Metal & Dissimilar Hardware Recovery with Backup ...
TECHNICAL WHITE PAPER: Bare Metal & Dissimilar Hardware Recovery with Backup ...Symantec
 
Oracle database 12c application express installation guide
Oracle database 12c application express installation guideOracle database 12c application express installation guide
Oracle database 12c application express installation guidebupbechanhgmail
 
havcs-410-101 a-2-10-srt-pg_4
havcs-410-101 a-2-10-srt-pg_4havcs-410-101 a-2-10-srt-pg_4
havcs-410-101 a-2-10-srt-pg_4raryal
 
OracleÂŽ Trading Community Architecture
OracleÂŽ Trading Community ArchitectureOracleÂŽ Trading Community Architecture
OracleÂŽ Trading Community ArchitectureOracle Groups
 
HPE Matrix Operating Environment 7.5 Recovery Management User Guide
HPE Matrix Operating Environment 7.5 Recovery Management User GuideHPE Matrix Operating Environment 7.5 Recovery Management User Guide
HPE Matrix Operating Environment 7.5 Recovery Management User GuideVictor Rocha
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guidewebhostingguy
 
APM81SP1_RevA_Installation_Book
APM81SP1_RevA_Installation_BookAPM81SP1_RevA_Installation_Book
APM81SP1_RevA_Installation_BookDavid_Tickner
 
NovellÂŽ iChainÂŽ 2.3
NovellÂŽ iChainÂŽ 2.3NovellÂŽ iChainÂŽ 2.3
NovellÂŽ iChainÂŽ 2.3webhostingguy
 
Sanjeev Kumar
Sanjeev KumarSanjeev Kumar
Sanjeev KumarSanjeev Rana
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidationwebhostingguy
 
Zeeshan Alam_ Resume
Zeeshan Alam_ Resume Zeeshan Alam_ Resume
Zeeshan Alam_ Resume Zeeshan Alam
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaSecurity Date
 
Docu91844
Docu91844Docu91844
Docu91844Sys Ov
 

What's hot (20)

OracleÂŽ database 2 days security guide e10575
OracleÂŽ database 2 days security guide e10575OracleÂŽ database 2 days security guide e10575
OracleÂŽ database 2 days security guide e10575
 
havcs-410-101 a-2-10-srt-_pg_1
havcs-410-101 a-2-10-srt-_pg_1havcs-410-101 a-2-10-srt-_pg_1
havcs-410-101 a-2-10-srt-_pg_1
 
TECHNICAL WHITE PAPER: Bare Metal & Dissimilar Hardware Recovery with Backup ...
TECHNICAL WHITE PAPER: Bare Metal & Dissimilar Hardware Recovery with Backup ...TECHNICAL WHITE PAPER: Bare Metal & Dissimilar Hardware Recovery with Backup ...
TECHNICAL WHITE PAPER: Bare Metal & Dissimilar Hardware Recovery with Backup ...
 
Oracle database 12c application express installation guide
Oracle database 12c application express installation guideOracle database 12c application express installation guide
Oracle database 12c application express installation guide
 
havcs-410-101 a-2-10-srt-pg_4
havcs-410-101 a-2-10-srt-pg_4havcs-410-101 a-2-10-srt-pg_4
havcs-410-101 a-2-10-srt-pg_4
 
Oracle9
Oracle9Oracle9
Oracle9
 
E49462 01
E49462 01E49462 01
E49462 01
 
OracleÂŽ Trading Community Architecture
OracleÂŽ Trading Community ArchitectureOracleÂŽ Trading Community Architecture
OracleÂŽ Trading Community Architecture
 
HPE Matrix Operating Environment 7.5 Recovery Management User Guide
HPE Matrix Operating Environment 7.5 Recovery Management User GuideHPE Matrix Operating Environment 7.5 Recovery Management User Guide
HPE Matrix Operating Environment 7.5 Recovery Management User Guide
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guide
 
Oracle 10g release 1
Oracle 10g release 1Oracle 10g release 1
Oracle 10g release 1
 
APM81SP1_RevA_Installation_Book
APM81SP1_RevA_Installation_BookAPM81SP1_RevA_Installation_Book
APM81SP1_RevA_Installation_Book
 
NovellÂŽ iChainÂŽ 2.3
NovellÂŽ iChainÂŽ 2.3NovellÂŽ iChainÂŽ 2.3
NovellÂŽ iChainÂŽ 2.3
 
Workbench en
Workbench enWorkbench en
Workbench en
 
Sanjeev Kumar
Sanjeev KumarSanjeev Kumar
Sanjeev Kumar
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidation
 
Resume
Resume Resume
Resume
 
Zeeshan Alam_ Resume
Zeeshan Alam_ Resume Zeeshan Alam_ Resume
Zeeshan Alam_ Resume
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
 
Docu91844
Docu91844Docu91844
Docu91844
 

Similar to Microsoft OCSP LUNA SA PCI Integration Guide

Microsoft India - System Center Controlling Costs and Driving Agility Whitepaper
Microsoft India - System Center Controlling Costs and Driving Agility WhitepaperMicrosoft India - System Center Controlling Costs and Driving Agility Whitepaper
Microsoft India - System Center Controlling Costs and Driving Agility WhitepaperMicrosoft Private Cloud
 
Whats New In Change Auditor - 5.5
Whats New In Change Auditor - 5.5Whats New In Change Auditor - 5.5
Whats New In Change Auditor - 5.5Curtis Brenneman
 
Whats New In Change Auditor - 5.5
Whats New In Change Auditor - 5.5Whats New In Change Auditor - 5.5
Whats New In Change Auditor - 5.5Curtis Brenneman
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxdanas19
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directoryprotect724rkeer
 
DR Planning - Improving Recovery Time
DR Planning - Improving Recovery TimeDR Planning - Improving Recovery Time
DR Planning - Improving Recovery TimeJason Dea
 
Microsoft Dynamics CRM - Plug in User Guide
Microsoft Dynamics CRM - Plug in User GuideMicrosoft Dynamics CRM - Plug in User Guide
Microsoft Dynamics CRM - Plug in User GuideMicrosoft Private Cloud
 
Azure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 complianceAzure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 complianceErlinkencana
 
Getting started with cisco configuration
Getting started with cisco configurationGetting started with cisco configuration
Getting started with cisco configurationMario Pellegrino
 
New Essentials of Disaster Recovery Planning
New Essentials of Disaster Recovery PlanningNew Essentials of Disaster Recovery Planning
New Essentials of Disaster Recovery PlanningJason Dea
 
P6 analytics install_and_config_guide
P6 analytics install_and_config_guideP6 analytics install_and_config_guide
P6 analytics install_and_config_guidevishaalkumar11
 
Wss Security
Wss SecurityWss Security
Wss SecurityLiquidHub
 
Security PFE
Security PFESecurity PFE
Security PFEAmy Busick
 
CONSULTANTS ANALYSIS REPORT 1 Colorado Techn.docx
CONSULTANTS ANALYSIS REPORT 1 Colorado Techn.docxCONSULTANTS ANALYSIS REPORT 1 Colorado Techn.docx
CONSULTANTS ANALYSIS REPORT 1 Colorado Techn.docxdonnajames55
 
Osb developer's guide
Osb developer's guideOsb developer's guide
Osb developer's guideHarish B
 
Pardeep Rana IT CV_Breif
Pardeep Rana IT CV_BreifPardeep Rana IT CV_Breif
Pardeep Rana IT CV_BreifPardeep Rana
 

Similar to Microsoft OCSP LUNA SA PCI Integration Guide (20)

Ad cs-step-by-step-guide
Ad cs-step-by-step-guideAd cs-step-by-step-guide
Ad cs-step-by-step-guide
 
Microsoft India - System Center Controlling Costs and Driving Agility Whitepaper
Microsoft India - System Center Controlling Costs and Driving Agility WhitepaperMicrosoft India - System Center Controlling Costs and Driving Agility Whitepaper
Microsoft India - System Center Controlling Costs and Driving Agility Whitepaper
 
Whats New In Change Auditor - 5.5
Whats New In Change Auditor - 5.5Whats New In Change Auditor - 5.5
Whats New In Change Auditor - 5.5
 
Whats New In Change Auditor - 5.5
Whats New In Change Auditor - 5.5Whats New In Change Auditor - 5.5
Whats New In Change Auditor - 5.5
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directory
 
DR Planning - Improving Recovery Time
DR Planning - Improving Recovery TimeDR Planning - Improving Recovery Time
DR Planning - Improving Recovery Time
 
Microsoft Dynamics CRM - Plug in User Guide
Microsoft Dynamics CRM - Plug in User GuideMicrosoft Dynamics CRM - Plug in User Guide
Microsoft Dynamics CRM - Plug in User Guide
 
Azure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 complianceAzure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 compliance
 
Getting started with cisco configuration
Getting started with cisco configurationGetting started with cisco configuration
Getting started with cisco configuration
 
Manual Sophos
Manual SophosManual Sophos
Manual Sophos
 
New Essentials of Disaster Recovery Planning
New Essentials of Disaster Recovery PlanningNew Essentials of Disaster Recovery Planning
New Essentials of Disaster Recovery Planning
 
P6 analytics install_and_config_guide
P6 analytics install_and_config_guideP6 analytics install_and_config_guide
P6 analytics install_and_config_guide
 
Wss Security
Wss SecurityWss Security
Wss Security
 
Security PFE
Security PFESecurity PFE
Security PFE
 
SLIC-admin-guide
SLIC-admin-guideSLIC-admin-guide
SLIC-admin-guide
 
CONSULTANTS ANALYSIS REPORT 1 Colorado Techn.docx
CONSULTANTS ANALYSIS REPORT 1 Colorado Techn.docxCONSULTANTS ANALYSIS REPORT 1 Colorado Techn.docx
CONSULTANTS ANALYSIS REPORT 1 Colorado Techn.docx
 
Osb developer's guide
Osb developer's guideOsb developer's guide
Osb developer's guide
 
Pardeep Rana IT CV_Breif
Pardeep Rana IT CV_BreifPardeep Rana IT CV_Breif
Pardeep Rana IT CV_Breif
 
Resume (2)
Resume (2)Resume (2)
Resume (2)
 

More from Chris x-MS

Escolhendo Pneus de carros
Escolhendo Pneus de carrosEscolhendo Pneus de carros
Escolhendo Pneus de carrosChris x-MS
 
Cerveja vs Perereca
Cerveja vs PererecaCerveja vs Perereca
Cerveja vs PererecaChris x-MS
 
Virtual PC 2007
Virtual PC 2007Virtual PC 2007
Virtual PC 2007Chris x-MS
 
Reportagem Filha - 2008 - Sobre TelescĂłpio James Webb
Reportagem Filha - 2008 - Sobre TelescĂłpio James WebbReportagem Filha - 2008 - Sobre TelescĂłpio James Webb
Reportagem Filha - 2008 - Sobre TelescĂłpio James WebbChris x-MS
 
Chiclete pode engolir
Chiclete pode engolirChiclete pode engolir
Chiclete pode engolirChris x-MS
 
GN 8050 TCA
GN 8050 TCAGN 8050 TCA
GN 8050 TCAChris x-MS
 
Samsung HD P-ATA Jumper Limit
Samsung HD P-ATA Jumper LimitSamsung HD P-ATA Jumper Limit
Samsung HD P-ATA Jumper LimitChris x-MS
 
802.11 Protocol Map
802.11 Protocol Map802.11 Protocol Map
802.11 Protocol MapChris x-MS
 
RTS Thresould - Netgear explain
RTS Thresould - Netgear explainRTS Thresould - Netgear explain
RTS Thresould - Netgear explainChris x-MS
 
ECS P35T-A (1.0b)
ECS P35T-A (1.0b)ECS P35T-A (1.0b)
ECS P35T-A (1.0b)Chris x-MS
 
ASUS K8V-X SE
ASUS K8V-X SEASUS K8V-X SE
ASUS K8V-X SEChris x-MS
 
ASUS P4V8X-X
ASUS P4V8X-XASUS P4V8X-X
ASUS P4V8X-XChris x-MS
 
DS Technicolor DWG850-4B
DS Technicolor DWG850-4BDS Technicolor DWG850-4B
DS Technicolor DWG850-4BChris x-MS
 
D-LINK DSL-502 G
D-LINK DSL-502 GD-LINK DSL-502 G
D-LINK DSL-502 GChris x-MS
 
Contrato Microsoft Serviços Live
Contrato Microsoft Serviços LiveContrato Microsoft Serviços Live
Contrato Microsoft Serviços LiveChris x-MS
 
Solucionando problemas de acesso sem fio do windows xp - 802.11
Solucionando problemas de acesso sem fio do windows xp - 802.11Solucionando problemas de acesso sem fio do windows xp - 802.11
Solucionando problemas de acesso sem fio do windows xp - 802.11Chris x-MS
 
Tutorial sobre protocolo TCP/IP
Tutorial sobre protocolo TCP/IPTutorial sobre protocolo TCP/IP
Tutorial sobre protocolo TCP/IPChris x-MS
 
Discos de Estado SĂłlido III
Discos de Estado SĂłlido IIIDiscos de Estado SĂłlido III
Discos de Estado SĂłlido IIIChris x-MS
 
HD (Hard Disk) ou Discos Rigidos - Como funcionam?!
HD (Hard Disk) ou Discos Rigidos - Como funcionam?!HD (Hard Disk) ou Discos Rigidos - Como funcionam?!
HD (Hard Disk) ou Discos Rigidos - Como funcionam?!Chris x-MS
 
Aula de C para Linux
Aula de C para LinuxAula de C para Linux
Aula de C para LinuxChris x-MS
 

More from Chris x-MS (20)

Escolhendo Pneus de carros
Escolhendo Pneus de carrosEscolhendo Pneus de carros
Escolhendo Pneus de carros
 
Cerveja vs Perereca
Cerveja vs PererecaCerveja vs Perereca
Cerveja vs Perereca
 
Virtual PC 2007
Virtual PC 2007Virtual PC 2007
Virtual PC 2007
 
Reportagem Filha - 2008 - Sobre TelescĂłpio James Webb
Reportagem Filha - 2008 - Sobre TelescĂłpio James WebbReportagem Filha - 2008 - Sobre TelescĂłpio James Webb
Reportagem Filha - 2008 - Sobre TelescĂłpio James Webb
 
Chiclete pode engolir
Chiclete pode engolirChiclete pode engolir
Chiclete pode engolir
 
GN 8050 TCA
GN 8050 TCAGN 8050 TCA
GN 8050 TCA
 
Samsung HD P-ATA Jumper Limit
Samsung HD P-ATA Jumper LimitSamsung HD P-ATA Jumper Limit
Samsung HD P-ATA Jumper Limit
 
802.11 Protocol Map
802.11 Protocol Map802.11 Protocol Map
802.11 Protocol Map
 
RTS Thresould - Netgear explain
RTS Thresould - Netgear explainRTS Thresould - Netgear explain
RTS Thresould - Netgear explain
 
ECS P35T-A (1.0b)
ECS P35T-A (1.0b)ECS P35T-A (1.0b)
ECS P35T-A (1.0b)
 
ASUS K8V-X SE
ASUS K8V-X SEASUS K8V-X SE
ASUS K8V-X SE
 
ASUS P4V8X-X
ASUS P4V8X-XASUS P4V8X-X
ASUS P4V8X-X
 
DS Technicolor DWG850-4B
DS Technicolor DWG850-4BDS Technicolor DWG850-4B
DS Technicolor DWG850-4B
 
D-LINK DSL-502 G
D-LINK DSL-502 GD-LINK DSL-502 G
D-LINK DSL-502 G
 
Contrato Microsoft Serviços Live
Contrato Microsoft Serviços LiveContrato Microsoft Serviços Live
Contrato Microsoft Serviços Live
 
Solucionando problemas de acesso sem fio do windows xp - 802.11
Solucionando problemas de acesso sem fio do windows xp - 802.11Solucionando problemas de acesso sem fio do windows xp - 802.11
Solucionando problemas de acesso sem fio do windows xp - 802.11
 
Tutorial sobre protocolo TCP/IP
Tutorial sobre protocolo TCP/IPTutorial sobre protocolo TCP/IP
Tutorial sobre protocolo TCP/IP
 
Discos de Estado SĂłlido III
Discos de Estado SĂłlido IIIDiscos de Estado SĂłlido III
Discos de Estado SĂłlido III
 
HD (Hard Disk) ou Discos Rigidos - Como funcionam?!
HD (Hard Disk) ou Discos Rigidos - Como funcionam?!HD (Hard Disk) ou Discos Rigidos - Como funcionam?!
HD (Hard Disk) ou Discos Rigidos - Como funcionam?!
 
Aula de C para Linux
Aula de C para LinuxAula de C para Linux
Aula de C para Linux
 

Recently uploaded

NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaoncallgirls2057
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis UsageNeil Kimberley
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportMintel Group
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxMarkAnthonyAurellano
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607dollysharma2066
 
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… AbridgedLean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… AbridgedKaiNexus
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts ServiceVip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Serviceankitnayak356677
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCRashishs7044
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 

Recently uploaded (20)

NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample Report
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
 
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… AbridgedLean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts ServiceVip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 

Microsoft OCSP LUNA SA PCI Integration Guide

  • 1.
  • 2. Microsoft OCSP Integration Guide Preface Preface Š 2010 SafeNet, Inc. All rights reserved. Part Number: 007-011100-001 (Rev A, 03/2010) All intellectual property is protected by copyright. All trademarks and product names used or referred to are the copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or otherwise without the prior written permission of SafeNet. SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify any person or organization of any such revisions or changes. SafeNet invites constructive comments on the contents of this document. These comments, together with your personal and/or company details, should be sent to the address below. SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017 USA Limitations This document does not include the steps to set up the third-party software. The steps given in this document must be modified accordingly. Refer to Luna SA documentation for general Luna setup procedures. Disclaimers The foregoing integration was performed and tested only with the specific versions of equipment and software and only in the configuration indicated. If your setup matches exactly, you should expect no trouble, and Customer Support can assist with any missteps. If your setup differs, then the foregoing is merely a template and you will need to adjust the instructions to fit your situation. Customer Support will attempt to assist, but cannot guarantee success in setups that we have not tested. Technical Support If you encounter a problem while installing, registering or operating this product, please make sure that you have read the documentation. If you cannot resolve the issue, please contact your supplier or SafeNet support. SafeNet support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between SafeNet and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you. Technical Support Contact Information: Phone: 800-545-6608, 410-931-7520 Email: support@safenet-inc.com Š SafeNet Inc. i
  • 3. Microsoft OCSP Integration Guide Preface ii Š SafeNet Inc.
  • 4. Microsoft OCSP Integration Guide Table of Contents Table of Contents Preface.............................................................................................................................................................i Chapter 1 Introduction................................................................................................................................1 Scope ............................................................................................................................................................................. 3 Supported Platforms ...................................................................................................................................................... 3 Prerequisites: ................................................................................................................................................................. 3 Luna SA Setup:.......................................................................................................................................................... 3 Luna PCI Setup:......................................................................................................................................................... 3 Microsoft OCSP Setup: ............................................................................................................................................. 3 Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI.............................................................................................................................5 Setting up Luna SA / Luna PCI for Online Certificate Status Protocol......................................................................... 5 Before you install........................................................................................................................................................... 5 1. Setting up an Enterprise Root certificate authority.............................................................................................. 9 2. Installing the Online Responder service............................................................................................................ 10 3. Configuring the CA to issue OCSP Response Signing Certificates .................................................................. 10 3.1 Configuring certificate templates for your test environment........................................................................ 10 3.2 Making OCSP only accept a SafeNet Provider. ........................................................................................... 11 3.3 Configuring the CA to support the Online Responder service ..................................................................... 12 4. Creating a revocation configuration .................................................................................................................. 12 4.1 Verifying that the signing certificate is properly configured........................................................................ 13 4.2 Modifying the Online Responder service to use Luna Hardware Security Modules.................................... 13 4.3 Setting up a revocation configuration........................................................................................................... 14 5. Verifying that OCSP works correctly................................................................................................................ 15 5.1 Generate a Certificate Request ..................................................................................................................... 15 5.2 Test the certificate’s origin........................................................................................................................... 15 5.3 Verify the OCSP Server is Active ................................................................................................................ 16 Š SafeNet Inc. iii
  • 5. Microsoft OCSP Integration Guide Table of Contents iv Š SafeNet Inc.
  • 6. Microsoft OCSP Integration Guide Chapter 1 Introduction Chapter 1 Introduction This document is intended to guide security administrators through the steps for Microsoft OCSP (Online Certificate Status Protocol) and Luna HSM integration, and also covers the necessary information to install, configure and integrate Microsoft OCSP with SafeNet Luna Hardware Security Modules (HSMs). OCSP is a protocol which is used to provide real-time validation of a certificate’s status. An OCSP responder is used to respond to certificate status requests and can issue one of the three responses: Valid Invalid. Unknown The online responder service implements the Online Certificate Status Protocol (OCSP) by decoding revocation status requests for specific certificates. The service evaluates the status requests for these certificates and sends back a signed response containing the requested certificate status information. Understanding the Online Responder's Components The Microsoft OCSP implementation is divided into client and server components (Figure 1). The client component is built into the CryptoAPI 2.0 library while the server component is introduced as a new service provided by the Active DirectoryÂŽ Certificate Services (AD CS) server role. Figure 1: Microsoft Online Responder Components Š SafeNet Inc. 1
  • 7. Microsoft OCSP Integration Guide Chapter 1 Introduction Figure 2: After integrating LunaSA/ LunaPCI OCSP Client The OCSP client is fully integrated into the CryptoAPI 2.0 certificate revocation infrastructure. It implements the recommendation specified in the draft Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (PKIX) "Lightweight OCSP Profile for High Volume Environment" and is optimized for high-volume scenarios. Online Responder Service The Online Responder is a Microsoft Windows NTÂŽ service (ocspsvc.exe) that is running with Network Service privileges. It performs the following operations: • Manages the Online Responder configuration. The Online Responder provides a responder-wide set of attributes that can be configured. These attributes include public interfaces, access control settings, audit settings, and Web proxy cache settings. All the configuration information is stored in the registry under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesOCSPSvcResponder. • Retrieves and caches revocation information based on configuration. Based on the revocation configuration, the Online Responder service can retrieve and cache revocation information such as CRLs and delta CRLs for future use. For more information, see Revocation Configuration. • Signs responses. For each successful request, the Online Responder signs the response with a pre-acquired signing key. Luna SA and Luna PCI are used here for secure and fast signing of the response. • Audits configuration changes. To conform to the Common Criteria requirements, all configuration changes of the Online Responder can be audited. For more information about audit settings, see Configuring the Online Responder. 2 Š SafeNet Inc.
  • 8. Microsoft OCSP Integration Guide Chapter 1 Introduction Revocation Configuration A revocation configuration is a set of definitions that configure the Online Responder service to respond to a certificate status request for a specific CA. Every Online Responder can have one or more revocation configurations. Revocation configurations include: • CA certificate • Signing certificate for OCSP responses • Revocation provider specific configuration Scope This document outlines the steps to integrate Microsoft OCSP with Luna SA / Luna PCI. Supported Platforms The following platforms are supported for Luna SA v4.4.1 and Luna PCI v3.0: Windows Server 2008 R2 Prerequisites: Luna SA Setup: Please refer to the Luna SA documentation for installation steps and details regarding configuring and setting up the box on Windows systems. Before you get started ensure the following: Luna SA appliance and a secure admin password Luna SA, and a hostname, suitable for your network Luna SA network parameters are set to work with your network Initialized the HSM on the Luna SA appliance. Created and exchanged certificates between the Luna SA and your Client system. Created a partition on the HSM, remember the partition password that will be later used by Microsoft OCSP. Register the Client with the partition. And run the "vtl verify" command on the client system to display a partition from Luna SA. The general form of command is C:Program FilesLuna SA > vtl verify for Windows. Enabled Partition "Activation" and "Auto Activation" (Partition policy settings 22 and 23 (applies to Luna SA with Trusted Path Authentication [which is FIPS 140-2 level 3] only). Luna PCI Setup: Please refer to the Luna PCI documentation for installation steps and details regarding configuring and setting up the box on Windows systems. Before you get started ensure the following: • Initialize the HSM on the Luna PCI appliance • Create a partition on the HSM that will be later used by Microsoft OCSP. • Enable Partition "Activation" and "Auto Activation" (Partition policy settings 22 and 23 (applies to Luna PCI with Trusted Path Authentication [which is FIPS 140-2 level 3] only). Microsoft OCSP Setup: Microsoft OCSP must be installed on the target machine to carry on with the integration process. For a detailed installation procedure of Oracle database 11g, please refer to the Oracle documentation. You need to select advance installation during the installation procedure. The following setup is required: Š SafeNet Inc. 3
  • 9. Microsoft OCSP Integration Guide Chapter 1 Introduction 4 Š SafeNet Inc. • 1x Windows Server 2008 R2 Enterprise Edition machine, which will become a Domain Controller. • 1x Windows Server 2008 R2 Enterprise Edition machine, which will become a Certificate Authority and OCSP Server. • 1x Windows Server 2008 R2 Enterprise Edition machine, which will become a client to submit enrollment requests to the CA. • Domain Administrator privileges. The three machines utilized are denoted in the setup as follows: OCSPDC: Windows Server 2008 R2 Enterprise Edition Domain Controller machine. OCSPCA: Windows Server 2008 R2 Enterprise Edition Certificate Authority and OCSP Server machine. OCSPClient: Windows Server 2008 R2 Enterprise Edition client machine.
  • 10. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI Setting up Luna SA / Luna PCI for Online Certificate Status Protocol To set up Luna HSMs for Online Certificate Status Protocol, perform the following: Before you install • KSP must be installed on the Certificate Authority and OCSP Server in a separate step following completion of the main Luna SA / Luna PCI Client software installation. • Traverse to C:Program FilesSafeNet. • Run the KspConfig.exe (KSP configuration wizard). • Double click Register Or View Security Library on the left side of the pane. Š SafeNet Inc. 5
  • 11. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI • Browse the library C:Program FilesLunaSAcryptoki.dll and click Register. • On successful registration you will receive a message as Success registering the security library. 6 Š SafeNet Inc.
  • 12. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI • Double click Register HSM Slots on the left side of the pane. • Enter the Slot (Partition) password. • Click on Register Slot to register the slot for DomainUser. On successful registration you will receive Š SafeNet Inc. 7
  • 13. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI message “The slot was successfully and securely registered”. • Also register the slot for NT_AUTHORITYSYSTEM under DomainUser. 8 Š SafeNet Inc.
  • 14. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI 1. Setting up an Enterprise Root certificate authority An enterprise root CA is used to issue certificates to the Online Responder service and to client computers, and to publish certificate information to the Active Directory Domain Services (ADDS). a. Log on to OCSPCA as a Domain Administrator. b. From the Start menu, select Control Panel > Administrative Tools > Server Manager. c. In the Roles Summary section (in the right-hand part of the window), click Add Roles. d. On the welcome screen that appears, click Next. e. When the Select Server Roles section appears, select Active Directory Certificate Services and click Next twice. f. On the next screen, select the Certification Authority and click Next. g. In the Specify Setup Type section, click Enterprise and then click Next. h. On the Specify CA Type section, click Root CA and then click Next. i. When the Set Up Private Key appears, select Create a new private key and click Next. j. In the Configure Cryptography for CA section, select and set up the provider you wish to use for the CA. Š SafeNet Inc. 9
  • 15. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI The following SafeNet providers are available for use (if they are installed and correctly set up, they will be displayed in the drop-down list under the Select a Cryptographic Service Provider heading): - RSA#SafeNet Key Storage Provider - DSA#SafeNet Key Storage Provider - ECDSA_P256#SafeNet Key Storage Provider - ECDSA_P384#SafeNet Key Storage Provider - ECDSA_P521#SafeNet Key Storage Provider Note: When using SafeNet providers ensure that you use a ‘sha’ hashing algorithm. k. Once the provider has been selected and set up, click Next. l. On the Configure CA Name, Set Validity Period and Certificate Database sections, accept the default values and click Next. m. Finally the Confirm Installation Selections section will appear. Check that everything is correct and click Install. n. Once the setup is complete check that there were no errors and click Close. 2. Installing the Online Responder service a. Log on to OCSPCA as a domain administrator. b. From the Start menu, select Control Panel > Administrative Tools > Server Manager. c. Expand the Roles section (in the left-hand section) and click on Active Directory Certificate Services. In the bottom right-hand section, click Add Role Services. d. In the Select Role Services section that appears, select Online Responder. A prompt appears asking you to install IIS 7. e. Click Add Required Role Services and when the prompt disappears click Next twice. f. In the Select Role Services section for Web Server (IIS), simply accept the default values and click Next. g. In the Confirm Installation Selections section, check that everything is correct and click Install. h. Once the set-up is complete, check that there were no errors and click Close. 3. Configuring the CA to issue OCSP Response Signing Certificates Configuring a CA to support Online Responder services involves configuring certificate templates and issuing properties for OCSP Response Signing certificates. There are also other steps to be completed on the CA so that it can support the Online Responder and certificate issuing. 3.1 Configuring certificate templates for your test environment 10 Š SafeNet Inc.
  • 16. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI a. Log on to OCSPCA as a domain administrator. b. From the Start menu, select Run. c. In the Run dialog, type mmc and click OK. d. In the mmc console that appears, select File > Add/Remove Snap-in… e. In the Add or Remove Snap-Ins dialog box, find the Certificate Templates snap-in (under the Available snap-ins section) and select it. f. Click Add, and then click OK. g. Under Console Root, expand the Certificate Templates snap-in. Listed in the middle section will be all the available certificate templates that you can make your CA issue. h. Scroll down the list until you locate the OCSP Response Signing template, right-click it and click Properties. i. In the pop-up dialog that appears, click the Security tab and click Add. j. In the Select User, Computers, or Groups dialog that appears, type the name of the machine which is hosting the Online Responder service — in this case OCSPCA. k. Click OK. It should not be able to locate the machine, instead another dialog will appear. l. In this dialog, click Object Types, make sure the check-box next to Computers is selected and click OK. m. Now re-enter OCSPCA in the Select User, Computers, or Groups dialog, if it is not already there, and click OK. The machine hosting the Online Responder will be added to the Group and user names area under the Security tab. n. Click on OCSPCA in the Group and user names area. o. In the Permissions area, make sure that the Read and Autoenroll check boxes are ticked. p. Click Apply and then OK. 3.2 Making OCSP only accept a SafeNet Provider. This can only be carried out using SafeNet CNG CSP, which is referred to as the SafeNet Key Storage Provider. a. Log on to OCSPCA as a domain administrator. b. From the Start menu, select Run. c. Type mmc in the run dialog and click OK. d. In the mmc console that appears, select File > Add/Remove Snap-in… e. In the Add or Remove Snap-Ins dialog box, find the Certificate Templates snap-in (under the Available snap-ins section). Click it, click Add >, then click OK. f. Click on the Certificate Templates snap-in under Console Root and expand it. Listed in the middle section will be all the available certificate templates that you can make your CA issue. Scroll down the list until you locate the OCSP Response Signing template. g. Right-click the OCSP Response Signing template and click Properties. Š SafeNet Inc. 11
  • 17. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI h. On the pop-up dialog that appears, click on the Cryptography tab. i. By default, a radio button should be selected with Requests can use any provider on the clients machine next to it. Below this should be another radio button with Requests must use one of the following providers beside it. Select this radio button so that it becomes active. j. A box below the two radio buttons becomes active. In this box select SafeNet Key Storage Provider. k. Click Apply and then OK. 3.3 Configuring the CA to support the Online Responder service a. Log on to OCSPCA as a domain administrator. b. From the Start menu select Control Panel > Administrative Tools > Certification Authority. c. In the console tree (left-hand section), click on the CA. (It has a computer and a green tick next to it.) d. Navigate to the Action menu and click Properties. e. Select the Extensions tab. In the Select extension list, click Authority Information Access (AIA). f. Click Add and in the Add Location dialog type under Location. g. http://<nameofcomputerhostingOCSPhere>/ocsp. For example, the address when using OCSPCA would be http://OCSPCA/ocsp. h. Click OK. i. On the Extensions tab: - Ensure that the URL that was just added to the locations area is highlighted. - Ensure that the check-boxes next to “Include in the AIA extension of issued certificates” and “Include in the online certificate status protocol (OCSP) extension” are ticked. j. Click Apply and let the service restart. k. Click OK. l. In console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue. m. In Enable Certificates Templates, select the OCSP Response Signing template and any other certificate templates you configured previously, then click OK. n. Open Certificate Templates in the Certification Authority and verify that the modified certificate templates appear in the list. 4. Creating a revocation configuration A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued by using a specific CA key. 12 Š SafeNet Inc.
  • 18. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI 4.1 Verifying that the signing certificate is properly configured a. Restart OCSPCA to enroll for certificates and make sure that the templates are correctly registered. b. Log on to OCSPCA as a domain administrator. c. From the Start menu, select Run d. In the run dialog type mmc and click OK. e. In the mmc console that appears, select File > Add/Remove Snap-in… f. In the Add or Remove Snap-Ins pop-up dialog that appears, find the Certificates snap-in (under the Available snap-ins section). g. Click on the snap-in and click Add. h. In the dialog that appears, select the Computer Account radio button, then click Next. i. In the Select Computer dialog, ensure that Local Computer is selected and click Finish. j. Click OK. k. Under the Console Root, expand the Certificates heading. l. Select the Personal folder and expand it. m. Select the Certificates folders. In the right hand pane, a certificate should appear. n. If there are numerous certificates, pick the one which matches your machine name. In the case of OCSPCA the certificate name will be something like OCSPCA-CA. o. Right-click on the certificate and click Properties. p. Under the General tab in the dialog box that appears, there is a section named Certificate Purposes. q. The radio button next to Enable all purposes for this certificate will be selected by default; this needs to be changed. Hover over the radio button next to Enable only the following purposes and select it. r. Click Apply and then OK. 4.2 Modifying the Online Responder service to use Luna Hardware Security Modules. To use OCSP in conjunction with Luna HSMs, the Online Responder service must be changed so an HSM can be used to protect the OCSP signing keys. a. Log on to OCSPCA as a domain administrator. b. From the Start menu select Control Panel > Administrative Tools > Services. c. Locate the Online Responder Service in the list of services. d. Right-click on the Online Responder Service and select Properties. e. In the dialog box that appears select the Log on tab. Š SafeNet Inc. 13
  • 19. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI f. Under the Log on as heading, hover over the radio button next to Local System account and click the heading Allow service to interact with desktop becomes active with a check box next to it. g. Select the check box. h. Click Apply and then OK. i. Back in the services window, right-click on the Online Responder Service and click Restart. 4.3 Setting up a revocation configuration a. Log on to OCSPCA as a domain administrator. b. From the Start menu select Control Panel > Administrative Tools > Online Responder Management. c. In the left-hand pane click Revocation Configuration. d. In the right-hand pane, under Actions, click Add Revocation Configuration. e. In the dialog box that appears, click Next on the “Getting started with adding a revocation configuration section. f. In the “Name the Revocation Configuration” section, type a name for the configuration in the text box. (For this walkthrough we will use Test.) Then click Next. g. In the “Select CA Certificate Location” section, ensure that the radio button next to “Select a certificate for an Existing enterprise CA” is selected and click Next. h. In the “Choose CA Certificate” section, ensure that the radio button next to “Browse CA certificates published in Active Directory” is selected and then click Browse. i. In the Select Certification Authority dialog box that appears, select the CA authority (in this case OCSPCA) and click OK. Then click Next. j. In the Select Signing Certificate section, ignore the default settings; instead make sure the radio button next to “Manually select a signing certificate” is selected, and click Next. k. In the Revocation Provider section, click Finish. Once the wizard has completed, the status of the Online Responder will be shown in the Revocation Configuration Status box. It should say “Bad Signing on Array Controller”. l. To fix this, click on Array Configuration in the left hand pane and expand it. m. In the directory tree should be listed the CA that is being used, in this case OCSPCA. n. Click on this. o. Listed in the middle section should be the revocation configuration that was just created, in this case Test. p. In the right pane, locate “Assign a signing certificate” and click on it. Listed in the dialog box that appears should be the certificate that was setup earlier. q. Click on this and click OK. r. Back in the Online Responder Management tool, under Actions in the right-hand section, click Refresh. 14 Š SafeNet Inc.
  • 20. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI s. In the left-hand pane click on Online Responder: Computer Name and check that the Revocation Configuration Status is shown as Working. 5. Verifying that OCSP works correctly 5.1 Generate a Certificate Request a. Log on to the OCSPClient machine and generate some certificate requests using the template structure below. (Try to use different vendors’ cryptographic service providers.) [Version] Signature = “$Windows NT$” [NewRequest] Subject = “C=IN,CN=OCSPClient” HashAlgorithm = SHA1 KeyAlgorithm = RSA KeyLength = 1024 ProviderName = “Provider that will be used here” KeyUsage = 0xf0 MachineKeySet = True RequestType = PKCS10 [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 [Extensions] 1.3.6.1.5.5.7.48.1.5 = Empty b. Copy and paste the above template into a Notepad file making sure that the ProviderName variable is filled in correctly (with the speech marks around it). c. Once the template has been successfully setup save it as test.inf on C: drive. d. Open up a command prompt and goto the local drive, in this case C:. Type in the command prompt certreq –new test.inf test.req a certificate request called test.req will be generated and placed on C: drive. e. Next, type into the command prompt certreq –submit –attrib “CertificateTemplate:WebServer” test.req a box will appear asking which CA to use. Click the OCSPCA entry and click OK. A file dialog will appear asking to save the certificate to a file. f. Type in the File Name textbox test and click OK. After a short pause a message saying Certificate Successfully Generated will appear on the command prompt and a certificate file called test.cer will appear on C: drive. 5.2 Test the certificate’s origin a. Now log on to OCSPCA and go to the Certification Authority tool by browsing to Start > Control Panel > Administrative Tools > Certification Authority. b. In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, right-click on the on the Revoked Certificates folder, point to All Tasks, and click Publish. c. Open the Certification Authority snap-in and right-click on the CA, to remove all CRL distribution point extensions from the issuing CA. d. In the pop-up menu that appears, click Properties. Š SafeNet Inc. 15
  • 21. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI e. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP). f. Click any CRL distribution points that are listed, click Remove, and click OK. g. Now click Apply. A pop-up box will appear saying you need to restart the service. h. Click OK and watch the service restart. i. Using the certificate called test.cer that was generated earlier on the OCSPClient machine, verify that clients can still obtain revocation data. To do this, at a command prompt on OCSPClient, type: certutil -url test.cer j. In the URL Retrieval Tool dialog box that appears, click the radio button next to CRLs (From CDP) and click Retrieve. The list should be empty. k. Click the radio button next to OCSP (From AIA) and click Retrieve. The list should contain an OCSP entry showing the web address of your OCSP server. If it is working correctly, the word Verified should appear in the first column in the list. l. Click the radio button next to Certs (from AIA) and click Retrieve. One or two entries should be listed, with Verified next to them. If Certificate Authority Web Enrollment is not installed on the CA, an entry with AIA may display as Failed. However, as long as one of the entries in the Certs (from AIA) section reads Verified there should be no problems with the set-up. 5.3 Verify the OCSP Server is Active a. Open up a command prompt and select the local drive, in this case C:. Type in the command prompt certutil –verify test.cer > test.txt. b. When the Verify command has been completed, open the test.txt file on C: drive. It should contain information of this kind: Issuer: CN=LunaOCSP-OCSPCA-CA DC=LunaOCSP DC=com Subject: CN=OCSPClient C=IN Cert Serial Number: 6165202e000000000002 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 14 Minutes, 35 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 14 Minutes, 35 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com NotBefore: 2/23/2010 3:04 AM NotAfter: 2/23/2012 3:04 AM 16 Š SafeNet Inc.
  • 22. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI Subject: CN=OCSPClient, C=IN Serial: 6165202e000000000002 Template: WebServer 57 74 00 3f e4 37 97 87 de c3 19 67 53 68 ab ed ee 19 1c 00 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CRL 02: Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com 79 ab 66 69 d0 f1 7c a0 fa 6a fc a9 12 5a 37 5c 97 ad 28 9d Delta CRL 02: Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com 6b a4 ad ba 47 ce 6a fb 8e 4c 2c ac 97 5d f3 dc 24 4a ee d0 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com NotBefore: 2/22/2010 9:29 PM NotAfter: 2/22/2015 9:39 PM Subject: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com Serial: 4a5e361fb0efa3844bed61bde4bcf7c2 6a a9 1a 14 21 12 19 49 f7 de 87 cc 5a 56 4d ae 83 31 cb 1a Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: f3 3f 43 dd dd 8e 07 8d 49 20 87 a8 a9 a0 b5 12 cb d8 87 41 Full chain: 43 13 27 df 64 d7 43 b0 88 f7 4d 97 1b 50 0a 46 8e ca 36 fb ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully. c. Ensure that the last part of the verify commands output reads something like this: Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully. This shows that the OCSP Server is working correctly and there were no errors. The most important part of the above example is the Leaf certificate revocation check passed line as this shows the OCSP server is returning the certificate status as ‘Good’. If the log generated by the verify command does not include the above section (or something like it) and contains errors in main body of the output, like the example below, restart the OCSP server and client machine and re-run the verify command on the certificate file. Š SafeNet Inc. 17
  • 23. Microsoft OCSP Integration Guide Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI 18 Š SafeNet Inc. References 1. Installing, Configuring, and Troubleshooting the Online Responder (Microsoft's OCSP Responder) http://technet2.microsoft.com/windowsserver2008/en/library/045d2a97-1bff-43bd-8dea- f2df7e270e1f1033.mspx?mfr=true 2. Implementing Online Certificate Status Protocol http://hosteddocs.ittoolbox.com/TB100104.pdf 3. Windows Server 2008 Active Directory Certificate Services Step-By-Step Guide http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx