Configuring an Online Responder

If you decided to use online responders, you will need to finalize their configuration.
Online responders can create an array of systems to provide high availability for the service. An array can be as simple as two CAs acting as ORs (Online Responders), or it can include many more servers.

Use the buttons below to navigate through the lesson

To finalize the configuration of an online responder, you must configure and install an OCSP Response Signing certificate and configure an Authority Information Access extension to support it. After this is done, you must assign the template to a CA and then enroll the system to obtain the certificate.

Expand Active Directory Certificate Services and select Certificate Templates. Right click OCSP Response Signing. Right click and select Duplicate Template. Select Windows Server 2008 version and click OK. Assign Template name, ensure Publish certificate in Active Directory is selected. Select Security tab. Click Add. Select Object Types. Select Computers and click OK. Type in the Issuing CA’s name and click Check Names. Click OK. Select Read, Enrol and Autoenroll. Then click OK. The new template has been created.

Select the CA name. From the Action menu select Properties. Select the Extensions tab. Select Authority Information Access (AIA). Select the location beginning with HTTP://

Select the Include In The AIA Extension Of Issued Certificates and the Include In The Online Certificate Status Protocol (OCSP) Extension check boxes. Click OK. Click Yes to restart Certificate Services. Service will stop and restart. Right click Certificate Templates select New>Certificate template to Issue. Scroll down to find the certificate template. Select OCSP Response Signing 2008 and click OK. The server must be restarted to assign the new template.

After the restart, open an MMC. Select the File menu. Select Add/Remove Snap-in. Select Certificates and click Add. Select Computer Account and click Next. Select Local Computer and click Finish. Click OK. Expand Certificates. Expand Personal and click Certificates. Ensure that the OCSP Signing certificate has been assigned. If the certificate is not there, you will need to install it manually by right-clicking Certificates under Personal, choose All Tasks, and then select Request New Certificate. On the Certificate Enrollment page, click Next. Select the new OCSP certificate and click Enroll. Right click the OCSP certificate select All Tasks>Manage Private Keys. Select Add. Select the local server and click OK. Enter Network Services, Check names then click OK.  For Network Service allow Full Control permission. Click OK to complete. Your Online Responder is ready to provide certificate validation information.

You’ll note that the Online Responder node in Server Manager also includes an Array Configuration node. When you add other ORs, you can add them to this array configuration to provide high availability of the OR service. Complex environments using multitiered hierarchies will have large OR arrays to ensure that all their users and devices can easily validate their certificates.

Add a Revocation Configuration for an Online Responder

When the OR is ready, add a revocation configuration. Because each CA that is an OR in an array includes its own certificate, each also requires a revocation configuration.
The revocation configuration will serve requests for specific CA key pairs and certificates.
In addition, you need to update the revocation configuration for a CA each time you renew its key pair.

Right click Revocation Configuration and select Add Revocation Configuration. Click Next. Assign a name to the configuration and click Next. Select A Certificate For An Existing Enterprise CA and click Next. Choose Active Directory and click Browse. Choose Root Certificate and click OK. Choose Root Certificate and click OK. Click Next. Select Automatically Select A Signing Certificate and select Auto-Enroll for an OCSP signing certificate. Select Browse. Select the issuing CA and click OK. This should automatically select the template you prepared earlier. Click Next. Click Provider. Type in http://localhost/ca.crl and click OK. Repeat for delta crls Type in http://localhost/ca.crl and click OK. Click OK. Click Finish. The new service will be started.

You should now have a new revocation configuration listed in the details pane. Repeat this procedure for each CA that is an OR. Note the server is automatically added to the Array Configuration.