Information Technology Reference
In-Depth Information
can be used to log on as that user. Enrollment agents must be issued an Enrollment Agent cer-
tificate to perform this task, but considering the power an enrollment agent has, these people
must be highly trusted in the organization.
To mitigate the security concerns, Windows Server 2008 offers restricted enrollment agents.
With this feature, administrators can configure smart card certificate templates to specify which
users or groups an enrollment agent can enroll in the certificate. To do this, use the Restrict
enrollment agents option in the Enrollment Agents tab of the CA server's Properties dialog box.
By default, enrollment agents are not restricted.
An
online responder (OR)
enables clients to check a certificate's revocation status without having
to download the CRL. To use an OR, you install the Online Responder role service when you
install the CA role or later. You can install this role service on the same server as the CA role or
a different server, and it requires the Web Server role service.
After the OR role service is installed, it must be configured with these steps:
1. Configure an OCSP Response Signing certificate template. This certificate is used to sign the
response the OR provides to certificate revocation queries. (OCSP stands for Online
Certificate Status Protocol.)
2. Configure the CA to support the online responder. An Authority Information Access (AIA)
extension is configured on a CA to indicate the OR's location.
3. Add the OCSP Response Signing Certificate template to the CA, and enroll the OR with this
certificate.
4. Configure revocation for the OR, including the settings required for the OR to reply to cer-
tificate status requests.
Activity 11-7: Configuring an OCSP Response Signing
Certificate Template
Time Required:
20 minutes
Objective:
Configure an OCSP Response Signing Certificate template.
Description:
Now that you have configured your CA to issue certificates via autoenrollment and
Web enrollment, you want to configure an online responder to field certificate status requests
instead of requiring clients to download the CRL.
1. Log on to
Server1XX
as Administrator and open Server Manager, if necessary.
2. If necessary, in the left pane, click to expand the
Roles
node and the
Active Directory
Certificate Services
node.
3. Click
Certificate Templates
. In the right pane, right-click the
OCSP Response Signing
tem-
plate and click
Duplicate Template
. Leave the
Windows Server 2008, Enterprise Edition
option button selected, and then click
OK
.
4. In the Properties of New Template dialog box, type
OCSP-2008
in the Template display
name text box, and then click the
Publish certificate in Active Directory
check box.
5. Click the
Security
tab, and then click the
Add
button. In the Select Users, Computers, or
Groups dialog box, click
Object Types
. Click the
Computers
check box, and then click
OK
.
Type
server1XX
and click
Check Names
. Click
OK
.
6. Click the
Enroll
and
Autoenroll
permissions in the Allow column, and then click
OK
.
7. The next step is to add the template to the CA. In the left pane of Server Manager, click the
CA server node (
w2k8adXX-Server1XX-CA
). Right-click
Certificate Templates
, point to
New
, and click
Certificate Template to Issue
.
8. In the Enable Certificate Templates list box, click
OCSP-2008
, and then click
OK
.
Search WWH ::
Custom Search