Testing the Online Responder Service
Now I'll create a new website in IIS to test the Online Responder using Internet Explorer.
- Open Internet Information Services Manager from Start, Administrative Tools.
- Click your server in the Connections pane, make sure Features View is selected in the central pane, and double-click Server Certificates.
- Select Create Domain Certificate under Actions in the right pane.
- In the Common Name box, enter the Fully Qualified Domain Name (FQDN) of the web server (in this case, the same machine as the CA, windc1.ad.contoso.com) and enter information for the rest of the fields as appropriate. Click Next to continue.
- Click Select to the right of Select Online Certificate Authority, choose your CA from the list and click OK.
- Under Friendly name, enter the FQDN of the server again and click Finish.
- Right click your server under Connections and select Add Web Site from the menu.
- Name the site TEST and set the physical path to c:\inetpub\wwwroot. Change the binding type to HTTPS and select the SSL certificate you just created from the drop-down menu, as shown in Figure 8. Click OK to continue.
 |
Figure 8. |
Before I try to access my new site using a secure channel, I'll check that the certificate issued by the CA contains the URL for the Online Responder.
- In the Certificates MMC, find the new certificate generated for IIS under Certificates (Local computer), Personal, Certificates.
- Right-click the certificate and select All Tasks, Export.
- Follow through the export wizard, leaving all the default options, and save the certificate as certificate.cer to a convenient location.
- Open a command prompt in the directory where you saved the exported certificate and launch the URL Retrieval Tool by typing
certutil –url certificate.cer
- In the Retrieve section of the tool in the bottom right corner, select OCSP (from AIA) and click Retrieve. If the certificate contains a URL for the OCSP Responder, it should display as Verified, as shown in Figure 9.
 |
Figure 9. |
Now I'll use Internet Explorer to access the TEST website and check the CryptoAPI logs to see if OCSP is used to successfully provide revocation data about the certificate.
- Type eventvwr into Start Search on the Start menu and press Enter.
- In the left pane, expand Applications and Services Logs, Microsoft, Windows, CAPI2. Right-click Operational under CAPI2 and select Enable Log from the menu.
- Open Internet Explorer and type https://windc1.ad.contoso.com/ in the address bar.
- Right click Operational in Event Viewer and select Refresh from the menu. In the central pane, look for Event ID 90&emdash;X509 Objects. Double-click the event and, on the Details tab under UserData, you should be able to find information about the OCSP response, as shown in Figure 10.
 |
Figure 10. Click to expand. |
Figure 10 shows that OCSP has determined our certificate is OK (OCSP_BASIC_GOOD_CERT_STATUS), and information about when this data was generated and the next time it will be updated.
OCSP Limitations
OCSP support from all the major public CAs allowed certificate revocation checking to be enabled in Internet Explorer for the first time in Windows Vista, providing a greater level of trust when surfing the web. While OCSP doesn't offer a solution for those working offline to check certificate revocation status, it enables checking in situations where slow connections may have ruled out certificate revocation checking altogether in the past. Online Responders, while only benefiting smaller organizations in specific scenarios, can help large PKIs scale out and make them more responsive.
Related Reading: