locked
How to assign OCSP signing certificate RRS feed

  • Question

  • Hi all

    I am trying to set up and external win server 2008 OCSP responder for a win server 2008 enterprise CA.

    I created a new revocation configuration in Online Responder Management tool on the OCSP server, imported  the CA certificate from file, chosen to manually select a signing certificate and provided the Revocation providers.

    Then I issued an OCSP signing certificate through web enrollment from the OCSP server and installed the issued certificate. so I have both the private and public keys on the OCSP responder.

    The problem is that when I select the OCSP responder I have just created in array configuration and click on "Assign Signing Certificate" I don't see any certificates.

    what seems to be the problem?

    Wednesday, October 5, 2011 7:22 AM

Answers

  • you must re-install OCSP certificate to local machine store. If you can, export existing certificate from current user store to PFX and re-import to local machine store. If private key is not exportable, you need to re-enroll for OCSP signing certificate and install to local system store.

    > I could not perform the second task. do you mean to right click on the certificate file?

    you can't because this operation is not supported for user stores.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    • Marked as answer by Bruce-Liu Tuesday, October 11, 2011 6:19 AM
    Wednesday, October 5, 2011 9:54 AM

All replies

  • make sure if:

    1) OCSP signing certificate is installed in LocalMachine\Personal store

    2) Network Service has Read permissions on private key. To assign permissions select OCSP signing certificate, right-click -> All Tasks -> Manage Private Keys. In the ACL editor add Network Service account and assign Read permissions.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Wednesday, October 5, 2011 8:24 AM
  • after checking Certificates snap-in in the MMC I found out that the OCSP signing certificate and the private keys are installed in the current user\Personal store.

    how can I install or move the certificate and private key to the LocalMachine\Personal store?

    I could not perform the second task. do you mean to right click on the certificate file?

    I didn't see "All Tasks" option in the right click menu of the certificate file, nor the right click menu in the Certificates snap-in

    Wednesday, October 5, 2011 9:17 AM
  • you must re-install OCSP certificate to local machine store. If you can, export existing certificate from current user store to PFX and re-import to local machine store. If private key is not exportable, you need to re-enroll for OCSP signing certificate and install to local system store.

    > I could not perform the second task. do you mean to right click on the certificate file?

    you can't because this operation is not supported for user stores.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    • Marked as answer by Bruce-Liu Tuesday, October 11, 2011 6:19 AM
    Wednesday, October 5, 2011 9:54 AM
  • thanks for the help.

    My problem with the ocsp responder is solved and the status for the Revocation configuration is "Working".

    But when I query an OCSP request to the Responder I have created using openssl on another PC, I get the Unauthorized error message.

    Are the permissions wrong? What can I do to make the OCSP service public?

    I checked /ocsp in IIS and anonymous authentication was enabled for it.

    Wednesday, October 5, 2011 1:04 PM
  • do I understand correctly that you send OCSP request by using openssl tool?


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Wednesday, October 5, 2011 2:41 PM
  • yes. that's right
    Thursday, October 6, 2011 6:39 AM
  • OpenSSL expects that a OCSP signing certificate is issued by the same CA as a certificate is verified.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Thursday, October 6, 2011 11:25 AM
  • thanks for the help,the problem is solved.

    apparently I had to add -no_nonce to OCSP requests or enable NONCE extension support in the OCSP server.

    Saturday, October 8, 2011 7:47 AM
  • Yes, by default Windows Online Responder does not support Nonce requests. However you can enable it in OCSP properties (in the ocsp.msc MMC snap-in).
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Saturday, October 8, 2011 4:13 PM