I have done a lot of searching, and seen bits and pieces of how this needs to be accomplished, but I don't know how to put it all together. I have just started getting into a server administration roll. I have taken on the task of migrating a webserver (windows server 2003 using CAC based login to the site) to new hardware and OS(windows server 2008). Most of the new server infrastructure was setup before I got here, and the sticking point has been the CAC based login with Revocation List configuration. I have researched the issue (OCSP Responders, CRL lists, CA's etc). The first question becomes, If I have a Secure website that requires a Digital Certificate (CAC card) along with a regular login to the website, What is the best way to impliment this. I want to impliment OCSP, but do I need to setup an internal server as a OCSP responder? Do I HAVE to make the server an AD CA? If I don't need to setup either of these, what information do I need to access OCSP in conjunction with the webserver to get it to properly access the CRL's If I had to ask another question, it would be, What is step 1 through step X, what is the optimal server setup to setting up from scratch a Webserver that requires Digital certs(CAC) Step1: build server,login... Step2:? Step3:? StepX:profit? ...What could be an alternate configuration if the optimal is not available... In context with my lack of knowledge in start to finish of my own question, what questions should I be asking at this point ?

If you are using a CAC then you would be relying on the DoD PKI, not your own. Use their OCSP responders, CA certs, cards, etc.