Microsoft OCSP Integration Guide
Microsoft OCSP Integration Guide Preface
Preface
© 2010 SafeNet, Inc. All rights reserved.
Part Number: 007-011100-001 (Rev A, 03/2010)
All intellectual property is protected by copyright. All trademarks and product names used or referred to are the copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or otherwise without the prior written permission of SafeNet.
SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify any person or organization of any such revisions or changes.
SafeNet invites constructive comments on the contents of this document. These comments, together with your personal and/or company details, should be sent to the address below.
SafeNet, Inc.
4690 Millennium Drive
Belcamp, Maryland 21017
USA
Limitations
This document does not include the steps to set up the third-party software. The steps given in this document must be modified accordingly. Refer to Luna SA documentation for general
Luna setup procedures.
Disclaimers
The foregoing integration was performed and tested only with the specific versions of equipment and software and only in the configuration indicated. If your setup matches exactly, you should expect no trouble, and Customer Support can assist with any missteps. If your setup differs, then the foregoing is merely a template and you will need to adjust the instructions to fit your situation. Customer Support will attempt to assist, but cannot guarantee success in setups that we have not tested.
Technical Support
If you encounter a problem while installing, registering or operating this product, please make sure that you have read the documentation. If you cannot resolve the issue, please contact your supplier or SafeNet support.
SafeNet support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between SafeNet and your organization.
Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you.
Technical Support Contact Information:
Phone: 800-545-6608, 410-931-7520
Email: support@safenet-inc.com
© SafeNet Inc. i
Microsoft OCSP Integration Guide Preface ii © SafeNet Inc.
Microsoft OCSP Integration Guide Table of Contents
Table of Contents
Preface
Chapter 1 Introduction
Chapter 2 Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
© SafeNet Inc. iii
Microsoft OCSP Integration Guide Table of Contents iv © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 1
Introduction
Chapter 1
Introduction
This document is intended to guide security administrators through the steps for Microsoft OCSP
(Online Certificate Status Protocol) and Luna HSM integration, and also covers the necessary information to install, configure and integrate Microsoft OCSP with SafeNet Luna Hardware Security
Modules (HSMs).
OCSP is a protocol which is used to provide real-time validation of a certificate’s status. An
OCSP responder is used to respond to certificate status requests and can issue one of the three responses:
Valid
Invalid.
Unknown
The online responder service implements the Online Certificate Status Protocol (OCSP) by decoding revocation status requests for specific certificates. The service evaluates the status requests for these certificates and sends back a signed response containing the requested certificate status information.
Understanding the Online Responder's Components
The Microsoft OCSP implementation is divided into client and server components (Figure 1). The client component is built into the CryptoAPI 2.0 library while the server component is introduced as a new service provided by the Active Directory® Certificate Services (AD CS) server role.
Figure 1: Microsoft Online Responder Components
© SafeNet Inc. 1
Microsoft OCSP Integration Guide
Figure 2: After integrating LunaSA/ LunaPCI
Chapter 1
Introduction
OCSP Client
The OCSP client is fully integrated into the CryptoAPI 2.0 certificate revocation infrastructure. It implements the recommendation specified in the draft Internet Engineering Task Force (IETF) Public Key Infrastructure
X.509 (PKIX) "Lightweight OCSP Profile for High Volume Environment" and is optimized for high-volume scenarios.
Online Responder Service
The Online Responder is a Microsoft Windows NT® service (ocspsvc.exe) that is running with Network
Service privileges. It performs the following operations:
• Manages the Online Responder configuration . The Online Responder provides a responder-wide set of attributes that can be configured. These attributes include public interfaces, access control settings, audit settings, and Web proxy cache settings. All the configuration information is stored in the registry under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OCSPSvc\Responder .
• Retrieves and caches revocation information based on configuration . Based on the revocation configuration, the Online Responder service can retrieve and cache revocation information such as
CRLs and delta CRLs for future use. For more information, see Revocation Configuration.
• Signs responses . For each successful request, the Online Responder signs the response with a pre-acquired signing key. Luna SA and Luna PCI are used here for secure and fast signing of the response.
• Audits configuration changes . To conform to the Common Criteria requirements, all configuration changes of the Online Responder can be audited. For more information about audit settings, see
Configuring the Online Responder.
2 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 1
Introduction
Revocation Configuration
A revocation configuration is a set of definitions that configure the Online Responder service to respond to a certificate status request for a specific CA. Every Online Responder can have one or more revocation configurations. Revocation configurations include:
• CA certificate
• Signing certificate for OCSP responses
• Revocation provider specific configuration
Scope
This document outlines the steps to integrate Microsoft OCSP with Luna SA / Luna PCI.
Supported Platforms
The following platforms are supported for Luna SA v4.4.1 and Luna PCI v3.0:
Windows Server 2008 R2
Prerequisites:
Luna SA Setup:
Please refer to the Luna SA documentation for installation steps and details regarding configuring and setting up the box on Windows systems. Before you get started ensure the following:
Luna SA appliance and a secure admin password
Luna SA, and a hostname, suitable for your network
Luna SA network parameters are set to work with your network
Initialized the HSM on the Luna SA appliance.
Created and exchanged certificates between the Luna SA and your Client system.
Created a partition on the HSM, remember the partition password that will be later used by Microsoft
OCSP. Register the Client with the partition. And run the "vtl verify" command on the client system to display a partition from Luna SA. The general form of command is C:\Program Files\Luna SA > vtl verify for Windows.
Enabled Partition "Activation" and "Auto Activation" (Partition policy settings 22 and 23 (applies to
Luna SA with Trusted Path Authentication [which is FIPS 140-2 level 3] only).
Luna PCI Setup:
Please refer to the Luna PCI documentation for installation steps and details regarding configuring and setting up the box on Windows systems. Before you get started ensure the following:
•
Initialize the HSM on the Luna PCI appliance
•
Create a partition on the HSM that will be later used by Microsoft OCSP.
•
Enable Partition "Activation" and "Auto Activation" (Partition policy settings 22 and 23 (applies to
Luna PCI with Trusted Path Authentication [which is FIPS 140-2 level 3] only).
Microsoft OCSP Setup:
Microsoft OCSP must be installed on the target machine to carry on with the integration process. For a detailed installation procedure of Oracle database 11g, please refer to the Oracle documentation. You need to select advance installation during the installation procedure.
The following setup is required:
© SafeNet Inc. 3
Microsoft OCSP Integration Guide Chapter 1
Introduction
• 1x Windows Server 2008 R2 Enterprise Edition machine, which will become a Domain Controller.
• 1x Windows Server 2008 R2 Enterprise Edition machine, which will become a Certificate Authority and
OCSP Server.
• 1x Windows Server 2008 R2 Enterprise Edition machine, which will become a client to submit enrollment
requests to the CA.
• Domain Administrator privileges.
The three machines utilized are denoted in the setup as follows:
OCSPDC: Windows Server 2008 R2 Enterprise Edition Domain Controller machine.
OCSPCA: Windows Server 2008 R2 Enterprise Edition Certificate Authority and OCSP Server machine.
OCSPClient: Windows Server 2008 R2 Enterprise Edition client machine.
4 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
Chapter 2
Integrating Microsoft Online Certificate
Status Protocol with Luna SA / Luna PCI
Setting up Luna SA / Luna PCI for Online Certificate Status Protocol
To set up Luna HSMs for Online Certificate Status Protocol, perform the following:
Before you install
•
KSP must be installed on the Certificate Authority and OCSP Server in a separate step following completion of the main Luna SA / Luna PCI Client software installation.
•
Traverse to C:\Program Files\SafeNet.
•
Run the KspConfig.exe (KSP configuration wizard).
•
Double Register Or View Security Library on the left side of the pane.
© SafeNet Inc. 5
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
•
Browse the library C:\Program Files\LunaSA\cryptoki.dll and click Register.
• O n successful registration you will receive a message as Success registering the security library .
6 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
•
Double Register HSM Slots on the left side of the pane.
•
Enter the Slot (Partition) password.
•
Click to register the slot for Domain\User. On successful registration you will receive
© SafeNet Inc. 7
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
message ”.
•
Also register the slot for NT_AUTHORITY\SYSTEM under Domain\User .
8 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
1. Setting up an Enterprise Root certificate authority
An enterprise root CA is used to issue certificates to the Online Responder service and to client computers, and to publish certificate information to the Active Directory Domain Services (ADDS). a. Log on to OCSPCA as a Domain Administrator. b. From the Start menu, select Control Panel > Administrative Tools > Server Manager. c. In the Roles Summary section (in the right-hand part of the window), click Add Roles. d. On the welcome screen that appears, click Next. e. When the Select Server Roles section appears, select Active Directory Certificate Services and click Next twice. f. On the next screen, select the Certification Authority and click Next. g. In the Specify Setup Type section, click Enterprise and then click Next. h. On the Specify CA Type section, click Root CA and then click Next. i. When the Set Up Private Key appears, select Create a new private key and click Next. j. In the Configure Cryptography for CA section, select and set up the provider you wish to use for the CA.
© SafeNet Inc. 9
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
The following SafeNet providers are available for use (if they are installed and correctly set up, they will be displayed in the drop-down list under the Select a Cryptographic Service Provider heading):
- RSA#SafeNet Key Storage Provider
- DSA#SafeNet Key Storage Provider
- ECDSA_P256#SafeNet Key Storage Provider
- ECDSA_P384#SafeNet Key Storage Provider
- ECDSA_P521#SafeNet Key Storage Provider
Note: When using SafeNet providers ensure that you use a ‘sha’ hashing algorithm. k. Once the provider has been selected and set up, click Next. l. On the Configure CA Name, Set Validity Period and Certificate Database sections, accept the default values and click Next. m. Finally the Confirm Installation Selections section will appear. Check that everything is correct and click Install. n. Once the setup is complete check that there were no errors and click Close.
2. Installing the Online Responder service
a. Log on to OCSPCA as a domain administrator. b. From the Start menu, select Control Panel > Administrative Tools > Server Manager. c. Expand the Roles section (in the left-hand section) and click on Active Directory Certificate
Services. In the bottom right-hand section, click Add Role Services. d. In the Select Role Services section that appears, select Online Responder. A prompt appears asking you to install IIS 7. e. Click Add Required Role Services and when the prompt disappears click Next twice. f. In the Select Role Services section for Web Server (IIS), simply accept the default values and click Next. g. In the Confirm Installation Selections section, check that everything is correct and click Install. h. Once the set-up is complete, check that there were no errors and click Close.
3. Configuring the CA to issue OCSP Response Signing Certificates
Configuring a CA to support Online Responder services involves configuring certificate templates and issuing properties for OCSP Response Signing certificates. There are also other steps to be completed on the CA so that it can support the Online Responder and certificate issuing.
3.1 Configuring certificate templates for your test environment
10 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI a. Log on to OCSPCA as a domain administrator. b. From the Start menu, select Run. c. In the Run dialog, type mmc and click OK. d. In the mmc console that appears, select File > Add/Remove Snap-in… e. In the Add or Remove Snap-Ins dialog box, find the Certificate Templates snap-in (under the
Available snap-ins section) and select it. f. Click Add, and then click OK. g. Under Console Root, expand the Certificate Templates snap-in. Listed in the middle section will be all the available certificate templates that you can make your CA issue. h. Scroll down the list until you locate the OCSP Response Signing template, right-click it and click
Properties. i. In the pop-up dialog that appears, click the Security tab and click Add. j. In the Select User, Computers, or Groups dialog that appears, type the name of the machine which is hosting the Online Responder service — in this case OCSPCA. k. Click OK. It should not be able to locate the machine, instead another dialog will appear. l. In this dialog, click Object Types, make sure the check-box next to Computers is selected and click OK. m. Now re-enter OCSPCA in the Select User, Computers, or Groups dialog, if it is not already there, and click OK. The machine hosting the Online Responder will be added to the Group and user names area under the Security tab. n. Click on OCSPCA in the Group and user names area. o. In the Permissions area, make sure that the Read and Autoenroll check boxes are ticked. p. Click Apply and then OK.
3.2 Making OCSP only accept a SafeNet Provider.
This can only be carried out using SafeNet CNG CSP, which is referred to as the
SafeNet Key Storage Provider. a. Log on to OCSPCA as a domain administrator. b. From the Start menu, select Run. c. Type mmc in the run dialog and click OK. d. In the mmc console that appears, select File > Add/Remove Snap-in… e. In the Add or Remove Snap-Ins dialog box, find the Certificate Templates snap-in (under the
Available snap-ins section). Click it, click Add >, then click OK. f. Click on the Certificate Templates snap-in under Console Root and expand it. Listed in the middle section will be all the available certificate templates that you can make your CA issue.
Scroll down the list until you locate the OCSP Response Signing template. g. Right-click the OCSP Response Signing template and click Properties.
© SafeNet Inc. 11
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI h. On the pop-up dialog that appears, click on the Cryptography tab. i. By default, a radio button should be selected with Requests can use any provider on the clients machine next to it. Below this should be another radio button with Requests must use one of the following providers beside it. Select this radio button so that it becomes active. j. A box below the two radio buttons becomes active. In this box select SafeNet Key Storage
Provider. k. Click Apply and then OK.
3.3 Configuring the CA to support the Online Responder service a. Log on to OCSPCA as a domain administrator. b. From the Start menu select Control Panel > Administrative Tools > Certification Authority. c. In the console tree (left-hand section), click on the CA. (It has a computer and a green tick next to it.) d. Navigate to the Action menu and click Properties. e. Select the Extensions tab. In the Select extension list, click Authority Information Access (AIA). f. Click Add and in the Add Location dialog type under Location. g. http://<nameofcomputerhostingOCSPhere>/ocsp. For example, the address when using
OCSPCA would be http://OCSPCA/ocsp. i. On the Extensions tab:
- Ensure that the URL that was just added to the locations area is highlighted.
- Ensure that the check-boxes next to “Include in the AIA extension of issued certificates” and
“Include in the online certificate status protocol (OCSP) extension” are ticked. j. Click Apply and let the service restart. l. In console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue. m. In Enable Certificates Templates, select the OCSP Response Signing template and any other certificate templates you configured previously, then click OK. n. Open Certificate Templates in the Certification Authority and verify that the modified certificate templates appear in the list.
4. Creating a revocation configuration
A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued by using a specific CA key.
12 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
4.1 Verifying that the signing certificate is properly configured a. Restart OCSPCA to enroll for certificates and make sure that the templates are correctly registered. b. Log on to OCSPCA as a domain administrator. c. From the Start menu, select Run d. In the run dialog type mmc and click OK. e. In the mmc console that appears, select File > Add/Remove Snap-in… f. In the Add or Remove Snap-Ins pop-up dialog that appears, find the Certificates snap-in
(under the Available snap-ins section). g. Click on the snap-in and click Add. h. In the dialog that appears, select the Computer Account radio button, then click Next. i. In the Select Computer dialog, ensure that Local Computer is selected and click Finish. k. Under the Console Root, expand the Certificates heading. l. Select the Personal folder and expand it. m. Select the Certificates folders. In the right hand pane, a certificate should appear. n. If there are numerous certificates, pick the one which matches your machine name. In the case of OCSPCA the certificate name will be something like OCSPCA-CA. o. Right-click on the certificate and click Properties. p. Under the General tab in the dialog box that appears, there is a section named Certificate
Purposes. q. The radio button next to Enable all purposes for this certificate will be selected by default; this needs to be changed. Hover over the radio button next to Enable only the following purposes and select it. r. Click Apply and then OK.
4.2 Modifying the Online Responder service to use Luna Hardware Security Modules.
To use OCSP in conjunction with Luna HSMs, the Online Responder service must be changed so an HSM can be used to protect the OCSP signing keys. a. Log on to OCSPCA as a domain administrator. b. From the Start menu select Control Panel > Administrative Tools > Services. c. Locate the Online Responder Service in the list of services. d. Right-click on the Online Responder Service and select Properties. e. In the dialog box that appears select the Log on tab.
© SafeNet Inc. 13
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI f. Under the Log on as heading, hover over the radio button next to Local System account and click the heading Allow service to interact with desktop becomes active with a check box next to it. g. Select the check box. h. Click Apply and then OK. i. Back in the services window, right-click on the Online Responder Service and click Restart.
4.3 Setting up a revocation configuration a. Log on to OCSPCA as a domain administrator. b. From the Start menu select Control Panel > Administrative Tools > Online Responder
Management. c. In the left-hand pane click Revocation Configuration. d. In the right-hand pane, under Actions, click Add Revocation Configuration. e. In the dialog box that appears, click Next on the “Getting started with adding a revocation configuration section. f. In the “Name the Revocation Configuration” section, type a name for the configuration in the text box. (For this walkthrough we will use Test.) Then click Next. g. In the “Select CA Certificate Location” section, ensure that the radio button next to “Select a certificate for an Existing enterprise CA” is selected and click Next. h. In the “Choose CA Certificate” section, ensure that the radio button next to “Browse CA certificates published in Active Directory” is selected and then click Browse. i. In the Select Certification Authority dialog box that appears, select the CA authority (in this case
OCSPCA) and click OK. Then click Next. j. In the Select Signing Certificate section, ignore the default settings; instead make sure the radio button next to “Manually select a signing certificate” is selected, and click Next. k. In the Revocation Provider section, click Finish. Once the wizard has completed, the status of the Online Responder will be shown in the Revocation Configuration Status box. It should say
“Bad Signing on Array Controller”. l. To fix this, click on Array Configuration in the left hand pane and expand it. m. In the directory tree should be listed the CA that is being used, in this case OCSPCA. n. Click on this. o. Listed in the middle section should be the revocation configuration that was just created, in this case Test. p. In the right pane, locate “Assign a signing certificate” and click on it. Listed in the dialog box that appears should be the certificate that was setup earlier. q. Click on this and click OK. r. Back in the Online Responder Management tool, under Actions in the right-hand section, click
Refresh.
14 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI s. In the left-hand pane click on Online Responder: Computer Name and check that the
Revocation Configuration Status is shown as Working.
5. Verifying that OCSP works correctly
5.1 Generate a Certificate Request a. Log on to the OCSPClient machine and generate some certificate requests using the template structure below. (Try to use different vendors’ cryptographic service providers.)
[Version]
Signature = “$Windows NT$”
[NewRequest]
Subject = “C=IN,CN=OCSPClient”
HashAlgorithm = SHA1
KeyAlgorithm = RSA
KeyLength = 1024
ProviderName = “Provider that will be used here”
KeyUsage = 0xf0
MachineKeySet = True
RequestType = PKCS10
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
[Extensions]
1.3.6.1.5.5.7.48.1.5 = Empty b. Copy and paste the above template into a Notepad file making sure that the ProviderName variable is filled in correctly (with the speech marks around it). c. Once the template has been successfully setup save it as test.inf on C:\ drive. d. Open up a command prompt and goto the local drive, in this case C:\. Type in the command prompt certreq –new test.inf test.req a certificate request called test.req will be generated and placed on C:\ drive. e. Next, type into the command prompt certreq –submit –attrib “CertificateTemplate:WebServer” test.req a box will appear asking which CA to use. Click the OCSPCA entry and click OK. A file dialog will appear asking to save the certificate to a file. f. Type in the File Name textbox test and click OK. After a short pause a message saying
Certificate Successfully Generated will appear on the command prompt and a certificate file called test.cer will appear on C:\ drive.
5.2 Test the certificate’s origin a. Now log on to OCSPCA and go to the Certification Authority tool by browsing to Start > Control
Panel > Administrative Tools > Certification Authority. b. In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority
(Computer)/CA name/Revoked Certificates in the console tree. Then, right-click on the on the
Revoked Certificates folder, point to All Tasks, and click Publish. c. Open the Certification Authority snap-in and right-click on the CA, to remove all CRL distribution point extensions from the issuing CA. d. In the pop-up menu that appears, click Properties.
© SafeNet Inc. 15
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI e. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP). f. Click any CRL distribution points that are listed, click Remove, and click OK. g. Now click Apply. A pop-up box will appear saying you need to restart the service. h. Click OK and watch the service restart. i. Using the certificate called test.cer that was generated earlier on the OCSPClient machine, verify that clients can still obtain revocation data. To do this, at a command prompt on
OCSPClient, type: certutil -url test.cer j. In the URL Retrieval Tool dialog box that appears, click the radio button next to CRLs (From
CDP) and click Retrieve. The list should be empty. k. Click the radio button next to OCSP (From AIA) and click Retrieve. The list should contain an
OCSP entry showing the web address of your OCSP server. If it is working correctly, the word
Verified should appear in the first column in the list. l. Click the radio button next to Certs (from AIA) and click Retrieve. One or two entries should be listed, with Verified next to them. If Certificate Authority Web Enrollment is not installed on the
CA, an entry with AIA may display as Failed. However, as long as one of the entries in the Certs
(from AIA) section reads Verified there should be no problems with the set-up.
5.3 Verify the OCSP Server is Active a. Open up a command prompt and select the local drive, in this case C:\. Type in the command prompt certutil –verify test.cer > test.txt. b. When the Verify command has been completed, open the test.txt file on C:\ drive. It should contain information of this kind:
Issuer:
CN=LunaOCSP-OCSPCA-CA
DC=LunaOCSP
DC=com
Subject:
CN=OCSPClient
C=IN
Cert Serial Number: 6165202e000000000002 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
(0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 14 Minutes, 35 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 14 Minutes, 35 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com
NotBefore: 2/23/2010 3:04 AM
NotAfter: 2/23/2012 3:04 AM
16 © SafeNet Inc.
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
Subject: CN=OCSPClient, C=IN
Serial: 6165202e000000000002
Template: WebServer
57 74 00 3f e4 37 97 87 de c3 19 67 53 68 ab ed ee 19 1c 00
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 02:
Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com
79 ab 66 69 d0 f1 7c a0 fa 6a fc a9 12 5a 37 5c 97 ad 28 9d
Delta CRL 02:
Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com
6b a4 ad ba 47 ce 6a fb 8e 4c 2c ac 97 5d f3 dc 24 4a ee d0
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com
NotBefore: 2/22/2010 9:29 PM
NotAfter: 2/22/2015 9:39 PM
Subject: CN=LunaOCSP-NOI1-501330-CA, DC=LunaOCSP, DC=com
Serial: 4a5e361fb0efa3844bed61bde4bcf7c2
6a a9 1a 14 21 12 19 49 f7 de 87 cc 5a 56 4d ae 83 31 cb 1a
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
f3 3f 43 dd dd 8e 07 8d 49 20 87 a8 a9 a0 b5 12 cb d8 87 41
Full chain:
43 13 27 df 64 d7 43 b0 88 f7 4d 97 1b 50 0a 46 8e ca 36 fb
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully. c. Ensure that the last part of the verify commands output reads something like this:
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
This shows that the OCSP Server is working correctly and there were no errors. The most important part of the above example is the Leaf certificate revocation check passed line as this shows the
OCSP server is returning the certificate status as ‘Good’. If the log generated by the verify command does not include the above section (or something like it) and contains errors in main body of the output, like the example below, restart the OCSP server and client machine and re-run the verify command on the certificate file.
© SafeNet Inc. 17
Microsoft OCSP Integration Guide Chapter 2
Integrating Microsoft Online Certificate Status Protocol with Luna SA / Luna PCI
References
1. Installing, Configuring, and Troubleshooting the Online Responder (Microsoft's OCSP
Responder) http://technet2.microsoft.com/windowsserver2008/en/library/045d2a97-1bff-43bd-8deaf2df7e270e1f1033.mspx?mfr=true
2. Implementing Online Certificate Status Protocol http://hosteddocs.ittoolbox.com/TB100104.pdf
3. Windows Server 2008 Active Directory Certificate Services Step-By-Step Guide http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx
18 © SafeNet Inc.
