> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Before you start

> Pre-deployment requirements, recommended architecture, CA-type differences, and CryptoHub permissions for the Microsoft OCSP with IIS integration.

Verify your environment meets these requirements before you configure the Online Responder.

## Recommended architecture

<Note>
  This guide assumes the Online Responder and IIS are installed on a dedicated Windows Server
  separate from the CA server. This is the recommended production architecture. If you are
  installing the Online Responder on the same server as your CA, the steps are identical, but
  note that this configuration is not recommended for production environments.
</Note>

This guide documents the **separate CA and OCSP servers** architecture. A combined CA and OCSP
server is supported, but it is not recommended for production environments because it places the
revocation responder on the same host as the issuing CA. Advanced topologies, such as a CA array
or load-balanced responders, are out of scope for this guide.

## CA type

<Note>
  This guide covers both **Standalone CA** and **Enterprise CA** configurations. Steps that
  apply to only one CA type are clearly marked. If a step has no label, it applies to both.

  * **Standalone CA** — Operates independently without Active Directory. The OCSP signing
    certificate is enrolled using an INF file and `certreq`, then manually approved on the CA.
    No domain membership is required.
  * **Enterprise CA** — Integrated with Active Directory. The OCSP signing certificate is
    enrolled from an AD certificate template. The CA server and OCSP server must be
    domain-joined before proceeding.
</Note>

## IIS requirements

The servers that require IIS depend on your CA type. IIS installation is covered in this guide.

* **CA server** serves `CertEnroll` — the CRL files and CA certificate. This is the CDP
  (CRL Distribution Point) embedded in every issued certificate.
* **OCSP server** serves `ocsp` — the Online Responder endpoint clients query for real-time
  revocation status. This is the AIA OCSP URL embedded in every issued certificate.

For a **Standalone CA**, IIS is typically only required on the OCSP server. CRL files are copied
there manually. For an **Enterprise CA**, the CA publishes and serves its own CRL, so IIS is
required on the CA server as well.

## Supported hardware

* CryptoHub, `7.0.3.x` or later.

## Supported operating systems

* Windows 2012 R2 (6.3.9600) or later

## Required access

* An account on the CryptoHub with administrator permissions to deploy new services.
* Local administrator/root access on the Windows Server where you will install the Online Responder.

## Network and firewall

* Allow outbound TCP port **2001** (default Host API port) from the OCSP server to the
  CryptoHub, specified by FQDN (for example, `cryptohub.example.com`) or CIDR (for example,
  `10.0.0.0/24`).

<Warning>
  TLS inspection or SSL proxies can break mutual TLS handshakes. Exempt the CryptoHub FQDN(s)
  from inspection. Configure the CryptoHub with a FQDN so the exemption applies.
</Warning>

## Prerequisites

* On the CA server, AD CS integration with CryptoHub is completed.
* **Enterprise CA only:** A Domain Controller is available, and the CA server and OCSP server
  are both domain-joined.
