Online Certificate Status Protocol (OCSP) in Windows Server 2008 and Vista

The Online Certificate Status Protocol (OCSP) allows organizations that manage their own Public Key Infrastructure (PKI) to improve efficiency by offloading certificate revocation list (CRL) checking to the server. Windows7 and Windows Vista benefit from an OCSP client, allowing certificate revocation checking to be enabled in Internet Explorer 8 and 7 by default.

Managing X.509 Certificate Revocation

Certification authorities (CAs) issue X.509 certificates for a given period, but you might need to revoke a certificate before the end of its lifespan. For example, if a CA's private key is compromised and bogus certificates are issued, or if a user who was issued a certificate leaves an organization.

Traditionally, the status of a certificate is determined by checking a CRL. This method works well for PKIs that issue a limited number of certificates, but for public CAs or large enterprises, CRLs don't scale well if certificates are revoked on a regular basis. CRLs detail all revoked certificates, and as this list grows, it becomes more bandwidth-intensive to distribute, potentially making users wait longer for a response. The bandwidth requirements for determining certificate revocation status using CRLs can be so large that if you enable it in applications like Internet Explorer or Outlook prior to Windows Vista, the programs often grind to a halt. Delta CRLs provide a partial solution to the problem by transferring only changes to the CRL.

Online Responders answer queries from OCSP clients, including Vista and Server 2008, when the status of a certificate needs to be verified. OCSP is an HTTP protocol used to address the scale and performance limitations of CRLs, reducing the amount of bandwidth required to perform certificate status checks by enabling Online Responders to receive all the CRL data from the CAs, as opposed to the clients downloading a CRL. When OCSP is used to determine certificate status, a request for information about a single certificate is sent from the OCSP client, and the amount of data returned to the OCSP client doesn't vary, no matter how many revoked certificates are on a CA's CRL. The data returned to the OCSP client is digitally signed. Online Responders, in the case of Microsoft's implementation, receive certificate revocation status from CRLs, so are still limited by the frequency with which CRLs are published. Some Online Responders, however, are able to communicate directly with a CA's certificate database to get up-to-date status information.

OCSP requires that CAs provide a response to OCSP clients, which can limit the scalability of Online Responders and creates an extra burden on CAs—CAs have to provide responses for (potentially) millions of requests. OCSP stapling further streamlines the processes of validating certificates by allowing the owner of a certificate, such as an SSL-enabled website, to query an Online Responder recurrently. It can then include the response, which is time-stamped and signed by the CA, to clients as part of an SSL/TLS handshake, avoiding the need for applications to directly query an Online Responder.

OCSP in the Enterprise

For organizations with more than one CA, Online Responders can be added to improve PKI response times and scalability. OCSP is especially useful in situations where clients are connecting to the network over a slow link and don't have the necessary bandwidth to download large CRLs. Research by Microsoft shows that OCSP can help reduce bandwidth when there are many simultaneous requests for certificate revocation status, such as first thing on Monday morning, when lots of users log on and send email. Online Responder requests are integrated with Kerberos password authentication so that server certificates can be validated when users log on.

Certificate revocation checking using OCSP is enabled by default in Server 2008, Vista and later OSs for Internet Explorer because of the presence of an OCSP client in the CryptoAPI. The advantage for end users is that certificate revocation status checking can be enabled in applications that support PKI without the bandwidth-related performance problems encountered in previous versions of Windows.

Install an Online Responder on Windows Server 2008

In this article, I'll look at basic installation of Microsoft's Online Responder service and observe successful OCSP responses in certificate revocation status checks from Internet Explorer 7. The Online Responder should be installed, and the CA configured for OCSP, before any certificates are issued. All the instructions should be carried out on Server 2008, logged on as a domain administrator.

For this example, you'll need a Server 2008 (Enterprise Edition) domain controller. AD Certificate Services should be preinstalled on the domain controller (DC). In a production environment, you should install Certificate Services on a dedicated server—this example is just for simplicity.

Certificate Auto-Enrollment

Before I configure an Online Responder on the CA, I'll enable certificate auto-enrollment for all computers in the domain to make the lab easier to configure.

 

1. Open Group Policy Management from Start, Administrative Tools.
2. Expand your forest and domain in the left pane, right click Default Domain Policy, and select Edit from the menu.
3. In the left pane of Group Policy Management Editor, expand Computer Configuration, Policies, Windows Settings, Security Settings and click Public Key Policies.
4. In the right pane, double-click Certificate Services Client&emdash;Auto-Enrollment.
5. Set Configuration Model to Enabled and check Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates, as shown in Figure 1. Click OK and close all Group Policy windows.

   Figure 1.

   
   
   
6. Open a command prompt and run the command
   gpupdate /force
   to apply the policy to the DC immediately.

Install the Online Responder Service

The Online Responder service is installed via Server Manager and IIS is added as a required component.

 

1. Open Server Manager from the Start menu.
2. Expand Roles in the left pane and click Active Directory Certificate Services.
3. In the right pane, scroll down to Role Services and click Add Role Services, shown in Figure 2.
   
   

   Figure 2. Click to expand.

   
   
   
4. On the Select Role Services screen, check Online Responder. Click Add Required Role Services in the Add Role Services dialog. Click Next on the Select Role Services screen.
5. Accept the default options on the two Web Server (IIS) screens by clicking Next twice. Click Install on the Confirmation screen.
6. Click Close on the Installation Results screen.

Enable an OCSP Response Signing Template

An OCSP Response Signing template should be enabled so that a Response Signing certificate can be enrolled on the CA.

 

1. Type MMC in the search box on the Start menu and press Enter. Press CTRL+M in the MMC window. Select Certificate Templates in the left pane on the Add or Remove Snap-ins dialog and click Add then OK.
2. Click Certificate Templates in the left pane of the MMC, right click OCSP Response Signing in the central pane and select Duplicate Template from the menu.
3. Select Windows Server 2008, Enterprise Edition on the Duplicate Template dialog and click OK.
4. On the General tab of the properties dialog, change Template display name to differentiate it from the original certificate. In this example, I renamed the certificate OCSP Response Signing_ad.contoso.com.
5. On the Security tab, click Add and then Object Types in the Select Users, Computers, or Groups dialog box. Check Computers under Object types and click OK.
6. Type the name of the CA computer in the Enter the object names to select field and then click Check Names. If you typed the name correctly, it should underline. Click OK.
7. On the Properties dialog, select the computer name entry under Group or user names and then check Read, Enroll and Autoenroll under Permissions, as shown in Figure 3. Click OK.

   Figure 3.

   
   
   
8. Close the Certificate Templates MMC.

Configure your CA to work with an Online Responder

The URL of the Online Responder must be included in the Authority Information Access (AIA) extension of all certificates issued so that OCSP clients know where to look for a certificate’s revocation information.

 

1. Open the Certificate Authority MMC from Start, Administrative Tools.
2. Right-click the CA in the left pane and select Properties from the menu.
3. Click the Extensions tab and then choose Authority Information Access (AIA) from the Select extension menu.
4. Click Add and type the URL for the Online Responder, in this case http:///ocsp, replacing with the name of your CA and click OK.
5. Back in the Properties dialog, select the Online Responder's URL from the list and check Include in the online certificate status protocol (OCSP) extension, as shown in Figure 4. Click OK.

   Figure 4.

   
   
   
6. At this point, you'll be prompted to restart Active Directory Certificate Services. Click Yes to continue.
7. Expand the CA in the left pane and right-click Certificate Templates. Select New, Certificate Template to Issue from the menu.
8. In the Enable Certificate Templates dialog box, select OCSP Response Signing_ad.contoso.com from the list and click OK.
9. Click Certificate Templates in the left pane and you should see your OCSP Response Signing certificate template in the list on the right, as shown in Figure 5.

   Figure 5. Click to expand.

   
   
   
10. Close the Certificate Authority MMC.
11. Open a command prompt and type
    certutil –pulse
    to force automatic enrollment of the OCSP Response Signing certificate.
12. Type MMC in the Start Search box on the Start menu and press Enter. Press CTRL+M in the MMC window. Select Certificates in the left pane of the Add or Remove Snap-ins dialog and click Add. Select Computer account in the Certificates snap-in dialog and click Next. Leave the default selection of Local computer and click Finish. Click OK in the Add or Remove Snap-ins dialog.
13. Expand Certificates (Local Computer), Personal, Certificates.
14. Check that a certificate for OCSP Signing appears in the list, as shown in Figure 6. Leave the Certificates MMC open because you'll need it later.

    Figure 6. Click to expand.

    
    
    

Configuring the Online Responder

Now I need to configure the Online Responder to work with my CA.

 

1. Type MMC in the search box on the Start menu and press Enter. Press CTRL+M in the MMC window. Select Online Responder Management in the left pane of the Add or Remove Snap-ins dialog, click Add and then OK.
2. Expand Online Responder in the left pane. Right click Revocation Configuration and select Add Revocation Configuration from the menu.
3. Click Next on the first screen of the wizard. Give the configuration Enterprise CA a name and click Next.
4. Leave the default option of Select a certificate for an Existing enterprise CA and click Next.
5. On the Choose CA Certificate screen, check Browse for a CA by Computer name and click Browse. Check Local computer in the Select Computer dialog and click OK. The CA name should now appear in blue on the Choose CA Certificate screen, as shown in Figure 7.

   Figure 7. Click to expand.

   
   
   
6. On the Select Signing Certificate screen, leave the auto enrollment options set to their defaults and click Next.
7. Click Finish on the Revocation Provider screen.

Testing the Online Responder Service

Now I'll create a new website in IIS to test the Online Responder using Internet Explorer.

 

1. Open Internet Information Services Manager from Start, Administrative Tools.
2. Click your server in the Connections pane, make sure Features View is selected in the central pane, and double-click Server Certificates.
3. Select Create Domain Certificate under Actions in the right pane.
4. In the Common Name box, enter the Fully Qualified Domain Name (FQDN) of the web server (in this case, the same machine as the CA, windc1.ad.contoso.com) and enter information for the rest of the fields as appropriate. Click Next to continue.
5. Click Select to the right of Select Online Certificate Authority, choose your CA from the list and click OK.
6. Under Friendly name, enter the FQDN of the server again and click Finish.
7. Right click your server under Connections and select Add Web Site from the menu.
8. Name the site TEST and set the physical path to c:\inetpub\wwwroot. Change the binding type to HTTPS and select the SSL certificate you just created from the drop-down menu, as shown in Figure 8. Click OK to continue.

   Figure 8.

   
   
   

Before I try to access my new site using a secure channel, I'll check that the certificate issued by the CA contains the URL for the Online Responder.

 

1. In the Certificates MMC, find the new certificate generated for IIS under Certificates (Local computer), Personal, Certificates.
2. Right-click the certificate and select All Tasks, Export.
3. Follow through the export wizard, leaving all the default options, and save the certificate as certificate.cer to a convenient location.
4. Open a command prompt in the directory where you saved the exported certificate and launch the URL Retrieval Tool by typing
   certutil –url certificate.cer
5. In the Retrieve section of the tool in the bottom right corner, select OCSP (from AIA) and click Retrieve. If the certificate contains a URL for the OCSP Responder, it should display as Verified, as shown in Figure 9.

   Figure 9.

   
   
   

Now I'll use Internet Explorer to access the TEST website and check the CryptoAPI logs to see if OCSP is used to successfully provide revocation data about the certificate.

 

1. Type eventvwr into Start Search on the Start menu and press Enter.
2. In the left pane, expand Applications and Services Logs, Microsoft, Windows, CAPI2. Right-click Operational under CAPI2 and select Enable Log from the menu.
3. Open Internet Explorer and type https://windc1.ad.contoso.com/ in the address bar.
4. Right click Operational in Event Viewer and select Refresh from the menu. In the central pane, look for Event ID 90&emdash;X509 Objects. Double-click the event and, on the Details tab under UserData, you should be able to find information about the OCSP response, as shown in Figure 10.

   Figure 10. Click to expand.

   
   
   

Figure 10 shows that OCSP has determined our certificate is OK (OCSP_BASIC_GOOD_CERT_STATUS), and information about when this data was generated and the next time it will be updated.

OCSP Limitations

OCSP support from all the major public CAs allowed certificate revocation checking to be enabled in Internet Explorer for the first time in Windows Vista, providing a greater level of trust when surfing the web. While OCSP doesn't offer a solution for those working offline to check certificate revocation status, it enables checking in situations where slow connections may have ruled out certificate revocation checking altogether in the past. Online Responders, while only benefiting smaller organizations in specific scenarios, can help large PKIs scale out and make them more responsive.

Related Reading:

• Use IPsec to Encrypt Data
• Protect Your PowerShell Scripts
• MD5 Collisions Put PKI At Risk
• Understanding IIS 7.0 Authentication