Hi,I'm using a third party OCSP responder. I want to tell Windows Server 2008 OCSP client to use this responder as a trusted responder whose public key will be trusted by the requester ( Windows Server 2008 OCSP client). as stated in RFC2560 2.2 - Response.Thanks in Advance,Alberto

With Windows Server 2008 you may use native OCSP responder that is installed as AD CS role component:http://technet.microsoft.com/en-us/library/cc770413(WS.10).aspxIn general to trust your responder, you need to issue a certificate that is based on OCSP Responder template and configure responder to work with this CA.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

Hi,The part of the process that I was trying to clarify is the OCSP client side. For instance, in smart card logon, how I configure Windows Server 2008 to trust the response from my OCSP responder when the KDC sends a OCSP request to verify that the login cert is not revoked. I want Windows Server 2008 OCSP client to trust my responder. How I accomplish that?. I want my OCSP responder to be a Global or Trusted responder by the Windows Server 2008 OCSP client. The RFC 2560, section 2.2, Response, states that one of the possible ways to sign a response is by using a Trusted Responder (Authorized Responder) sometimes called Global Responder whose public key is trusted by the requester. Ithink the process should be: installmy OCSP Responder cert basedon OCSP Responder template in the Windows Server along with its root cert, but I haven't found any information related to this.Thanks,Alberto

You don't need to configure OCSP client side, only server side.When you install OCSP Responder component you should do following:1) on Windows Server 2008 that is running AD CS (certificate services) add new template to issue named OCSP Response Signing. Make sure if computer account have permissions to read and enroll certificates on this template. You need to check this using certtmpl.msc console.2) On computer with OCSP Responder installedlaunch Certificates console in Local Computer context and manually enroll certificate that is based on OCSP response Signing template.3) when certificate is enrolled, right-click on it -> All tasks -> Manage private keys. Add Read permission forNetwork Service account. Close MMC console. Online responder will use this certificate to sign responses.4) open Online Responder Management console (from Administrative Tools) and in Revocation Configuration create new configuration.5) go through this wizard. In section Select siging certificate make sure if CA is selected and Check bor for autoenrollment is enabled.6) when configuration is created go to Array Configuration, select this responder, right-click on it nad select Set as array controller.7) after this, you should see a message that OCSP Responder is configured properly.8) Open CA console. Select current CA properties and switch to Extensions tab. In Extensions select AIA extension and add new location, for example: http://ca.domain.com/ocsp and enable Include in online certificate status protocol (OCSP) extension. Apply changes and close all windows.this is short guide how to setup OCSP Responder on Windows Server 2008. Run pkiview.msc console to ensure if all works correctly.What next? As mentioned this enrolled certificate will be used by OCSP responder. How to trust this signature? Just make sure if CA certificate is installed in Trusted Root CAs in local computer store. In domain environment this can be done using group policy.When OCSP client receives response from OCSP responder, signing certificate is passed through certificate chaining engine. This certificate must chain up to the same CA as checked certificate (in your example Smart Card logon certificate).your OCSP responder may be used for several CAs. You will need to issue OCSP Response Signing certificate for each CA and create a new revocation configuration. This will ensure that response signature will considered as valid (since it chains to the same CA as checking certificate).Please let me know if something is unclear for you.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

Hi,First of all, thanks for your explanation. The problem is that I'm using a third party OCSP Responder for Linux. The CA is also a third party CA issuing the OCSP signing certificate. Myconcern is related to the fact that I would like to use only one certificate to sign all responses and that can be used in smart card login, email and web authentication, etc.Windows Server will be usedfor logical access andemail and web authentication only, OCSP Responder, and the CA will be done by third parties. In those cases, theOCSP client part of WindowsServer will query the OCSP Responder to find the validity of the certificates. I could use the root certificate that signed the smard card login certificate to sign the OCSP response but I have several root certificates for different smart cards so I have to go to the process of installing all of then in the Windows Sever DC for that to work. That's why following the RFC 2560, I found that I can delegate this responsibility by issuing a cert with id-kp-OCSPSigning in the extendedKeyUsagewhose public key is trusted by the requester (in this case Windows Server DC OCSP client). My question is how to work with these three components together, third party OCSP Responder, a third party CA, and a Windows Server DC being used for logical access by using only one OCSP signing cert issued by my third party CA and that can be trusted by the Windows Server OCSP client (i.e., in the smart card logon process)Thanks a lot,Alberto

If your OCSP responder is RFC-compliant, then he should do the same thing as Windows-based OCSP responder. You need to contact your OCSP responder vendor to get more details about this.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds