Skip to main content
Verify your environment meets these requirements before you configure the Online Responder. This guide assumes the Online Responder and IIS are installed on a dedicated Windows Server separate from the CA server. This is the recommended production architecture.
This guide assumes the Online Responder and IIS are installed on a dedicated Windows Server separate from the CA server. This is the recommended production architecture. If you are installing the Online Responder on the same server as your CA, the steps are identical, but note that this configuration is not recommended for production environments.
This guide documents the separate CA and OCSP servers architecture. A combined CA and OCSP server is supported, but it is not recommended for production environments because it places the revocation responder on the same host as the issuing CA. Advanced topologies, such as a CA array or load-balanced responders, are out of scope for this guide.

CA type

This guide covers both Standalone CA and Enterprise CA configurations. Steps that apply to only one CA type are clearly marked. If a step has no label, it applies to both.
  • Standalone CA — Operates independently without Active Directory. The OCSP signing certificate is enrolled using an INF file and certreq, then manually approved on the CA. No domain membership is required.
  • Enterprise CA — Integrated with Active Directory. The OCSP signing certificate is enrolled from an AD certificate template. The CA server and OCSP server must be domain-joined before proceeding.

Supported hardware

  • CryptoHub, 7.0.3.x or later.

Supported operating systems

  • Windows 2012 R2 (6.3.9600) or later

Required access

  • An account on the CryptoHub with administrator permissions to deploy new services.
  • Local administrator/root access on the Windows Server where you will install the Online Responder.

Network and firewall

  • Allow outbound TCP port 2001 (default Host API port) from the OCSP server to the CryptoHub, specified by FQDN (for example, cryptohub.example.com) or CIDR (for example, 10.0.0.0/24).
TLS inspection or SSL proxies can break mutual TLS handshakes. Exempt the CryptoHub FQDN(s) from inspection. Configure the CryptoHub with a FQDN so the exemption applies.

Prerequisites

  • On the CA server, AD CS integration with CryptoHub is completed.
  • Enterprise CA only: A Domain Controller is available, and the CA server and OCSP server are both domain-joined.
  • IIS is installed on both the CA server and the OCSP server. See the note below.
Why IIS is needed on both servers. The CA server and OCSP server serve different HTTP endpoints, and both must be reachable by clients:
  • CA server serves CertEnroll — the CRL files and CA certificate. This is the CDP (CRL Distribution Point) embedded in every issued certificate.
  • OCSP server serves ocsp — the Online Responder endpoint clients query for real-time revocation status. This is the AIA OCSP URL embedded in every issued certificate.
For a Standalone CA, IIS is typically only on the OCSP server, and CRL files are copied there manually. For an Enterprise CA, the CA publishes and serves its own CRL, so IIS is required on the CA server as well.

CryptoHub permissions

The CryptoHub identity used for this integration requires the following permissions in addition to those granted by the base AD CS integration:
  • CA
    • Keys:Delete
    • CertManage:Delete
  • OCSP
    • Keys:Export