Hi again! So far, Iβve configured AD CS to issue certificates and secure internal systems like IIS and Exchange. But what if a certificate gets compromised or needs to be revoked?
Thatβs where certificate revocation comes inβand to make it efficient, we use the Online Certificate Status Protocol (OCSP) instead of relying solely on outdated CRLs.
Let me show you how I set it up in my enterprise environment.
π§ What Is Certificate Revocation?
Revocation is how we declare a certificate untrusted before it expires.
There are two main methods:
| Method | Description |
|---|---|
| CRL (Certificate Revocation List) | A list of revoked certs, published periodically |
| OCSP (Online Certificate Status Protocol) | Real-time certificate status checking |
π§Ύ Why OCSP?
CRLs are fine, but they:
- Can be slow to update
- Donβt scale well
- Increase network load
OCSP gives real-time revocation checking and is recommended for high-security and modern apps (like Exchange, RDS, etc.).
π§° Prerequisites
Before I begin:
β
Enterprise CA is installed
β
Certificate templates and enrollment are working
β
CRL distribution points are configured
β
Windows Server with Web Server role ready for OCSP Responder
ποΈ Step 1: Install OCSP Responder Role
On a server (can be the CA itself or a separate machine):
- Open Server Manager
- Click Add Roles and Features
- Select:
- Role-based installation
- Install Online Responder under AD CS
- Also add:
- Web Server (IIS) if prompted
- Complete the wizard and restart if needed
π§ Step 2: Configure the Online Responder
- Open Server Manager β AD CS β Configure Active Directory Certificate Services
- Select only the Online Responder role
- Choose appropriate service account (use Network Service or a domain account with required permissions)
- Complete the wizard
π₯οΈ Step 3: Add OCSP Role to the CA
- Open Certification Authority Console on your CA
- Right-click Revoked Certificates β Properties
- In the Extensions tab:
- Select Authority Information Access (AIA) and CRL Distribution Point (CDP)
- Add your OCSP URL (e.g.,
http://ocsp.domain.local/ocsp)
Make sure to:
- Check Include in the AIA extension of issued certificates
- Publish the location via web server
Restart CA service after applying changes.
π Step 4: Issue OCSP Signing Certificate
The Online Responder needs its own certificate to sign OCSP responses.
- On the CA, make sure the OCSP Response Signing template is published:
- Open Certificate Templates Console
- Publish OCSP Response Signing
- On the OCSP server, open mmc.exe β Certificates (Computer) snap-in
- Request a new certificate using the OCSP Response Signing template
π§ͺ Step 5: Test OCSP Functionality
- Open Online Responder Management from Administrative Tools
- Right-click Revocation Configuration β Add Revocation Configuration
- Follow the wizard:
- Name it
- Choose CA certificate from Active Directory
- Choose Use CRLs from this CA
- Link it to your OCSP Signing cert
- Use this command to test OCSP:
certutil -url <path-to-cert.cer>- Click OCSP tab β Hit Retrieve
β You should see a “Verified” message from the OCSP responder.
π Pro Tip: Secure and Monitor OCSP
- Enable HTTPS on your OCSP IIS site
- Monitor the OCSP role using Windows Event Logs
- Use firewall to restrict unnecessary access to OCSP ports (usually 80/443)
π§ Whatβs Next?
In the final blog of the series, Iβll walk through hardening, backing up, and auditing the Enterprise CA so itβs secure, compliant, and well-managed.