Windows 2008 PKI Combat 4: Revoking

The online revocation service is a new component introduced in Windows Server 2008. Is the Microsoft deployment of the OCSP protocol. This feature, coupled with the new OCSP answering service, is a big boost compared to CRL based revocation. The client's OCSP client has been redesigned for the schema, plus an OCSP responder. Additionally, the OCSP method has been integrated into Kerberos and SSL.

The new OCSP Responder is designed for extensibility purposes and can be deployed on a Certificate server or a fully detached computer. The service can also be applied to multiple clustered computers. The server-side component is flexible enough to obtain revocation information from multiple sources. The responder supports caching of Nonce and no-nonce requests.

Configuring OCSP and using a revocation demo

The deployment of an online responder consists of three steps: Installing an Online Responder service, preparing the environment, and configuring an online responder. The deployment of an online responder should be preceded by the deployment of the CA before the Terminal entity certificate is deployed. We installed OCSP on the first demo computer, so we'll examine the remaining steps in the deployment process. As part of the installation process, a virtual directory called OCSP is created in IIS, and the ISAPI extension used as a Web proxy is registered. You can register or not register a Web Proxy manually. Because Web Proxy registration occurs when OCSP is installed, we can use the following command to not register it, as shown in Figure 29.

Certutil-vocsproot Delete

We can use the Certutil-vocsproot command to register it. As shown in Figure 30.