Can't get OCSP working in ADCS 2012R2

I created a Root CA for my domain and I can issue certificates, or have people request them via exampl.com/certsrv but OCSP is not working

certutil -url certificate.cer shows the certificate has the right URL for the CRL but the CRL doesn't seem to be updated with revocations. Browsing to the crl file on the CA server itself shows no revocations listed either. Can someone help me debug this?

Thanks

PS: OCSP url should be cabox.example.com/CertEnroll/cabox.crl
homelabguyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Did you configured OSCP properlly on the Root CA. Follow the steps mentioned on the below link and let me know if it works. Also verify the configuration whether its working fine or not.

https://technet.microsoft.com/en-us/library/cc753253.aspx
https://technet.microsoft.com/en-in/library/cc772088.aspx

Thanks
Manikandan
0
homelabguyAuthor Commented:
The steps in "To modify certificate data in a local CRL" don't match the UI I'm seeing. I tried what looks like the Server 2012 version of those steps based on the UI but I get the attached errorfirsttestfailed.png
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Could you please confirm your steps mentioned on the below link. This is implemented with 2008 but definetly this will work with 2012 too.

http://windowsitpro.com/article/security/online-certificate-status-protocol-ocsp-in-windows-server-2008-and-vista--103523

Thanks
Manikandan
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

homelabguyAuthor Commented:
It looks like I had to publish the CRL manually via the attached image containing screen shots. Does OCSP automatically publish revocations on a schedule or is there something broken that is preventing it from doing it automatically?

Also what tool can I use to check the certificate and actually have me tell it that it was revoked? certutil -url certfile.cer just seems to verify that it can reach the CRL

Thanks
revocation.png
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

The Revocation is checked for end users and computers through group policy. However i don't think there is a custom schedule which we define for the same. To verify the revocation i have already pasted a link on my previous post. I am res-posting it again

https://technet.microsoft.com/en-in/library/cc753863.aspx
https://technet.microsoft.com/en-in/library/cc772088.aspx

Revocation
Thanks
Manikandan
0
homelabguyAuthor Commented:
What does that last checkbox do exactly? Is there a good reason for enabling that?

I will try the group policy settings tonight.

Thanks so much!
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Here is the below description of these 2 points

Revocation of a certificate invalidates a certificate as a trusted security credential prior to the scheduled expiration of its validity period. A public key infrastructure (PKI) depends on distributed verification of credentials in which there is no need for direct communication with the central trusted entity that vouches for the credentials.
To effectively support certificate revocation, the client computer must determine whether the certificate is valid or has been revoked. To support a variety of scenarios, Active Directory Certificate Services supports industry-standard methods of certificate revocation. These include publication of certificate revocation lists (CRLs) and delta CRLs in several locations for clients to access, including Active Directory Domain Services, Web servers, and network file shares. In Windows, revocation data can also be made available in a variety of settings through Online Certificate Status Protocol (OCSP) responses.

In addition, public key Group Policy allows administrators to enhance the use of CRLs and OCSP responders, particularly in situations where extremely large CRLs or network conditions detract from performance.

Thanks
Manikandan
0
homelabguyAuthor Commented:
Right I got that part, but if I right click a certificate in the CA MMC and revoke it, should the CRL be updated automatically, or do I have to publish a new CRL manually as I did in my last screen shot?

Thanks
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

You have to publish it manually there is no way to publish it automatically.

Thanks
Manikandan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
homelabguyAuthor Commented:
Oh ok. Good to know. Then I guess everything is working. Thanks so much for the help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.