Skip to main content
Instructions for verifying IIS configuration after the Online Responder role is installed.
IIS is configured on both servers, but they host different virtual directories:
  • OCSP serverocsp (created automatically when the Online Responder role is configured). On a Standalone CA, the OCSP server also hosts CertEnroll (created manually in Configure Online Responder, Step 2).
  • CA serverCertEnroll (created manually for an Enterprise CA in Configure CA Server for OCSP, “Serve the CRL via IIS”).

Verify IIS on the OCSP Server

1
Select Start > Windows Administrative Tools > Internet Information Services (IIS) Manager.
2
In the Connections pane on the left, expand the server node and select Sites > Default Web Site.Verify that the following are listed under Default Web Site:
  • ocsp — present on both CA types.
  • CertEnroll — present on a Standalone CA OCSP server only.
If the ocsp virtual directory is not present, re-run the AD CS Configuration Wizard via the Server Manager notification flag and configure the Online Responder role service. For a Standalone CA, if CertEnroll is not present, refer to Step 2 of the Configure Online Responder page.
3
In the Connections pane, select Default Web Site. In the Actions pane on the right, select Bindings….Verify that an HTTP binding exists on port 80. The Online Responder uses HTTP (not HTTPS) for OCSP requests.
The OCSP protocol communicates over HTTP on port 80 by default. Do not change this to HTTPS unless your environment specifically requires it and your clients are configured accordingly.
4
Select [ Close ] to close the Site Bindings window.

Verify the CRL is Reachable

1
Confirm the CRL is accessible over HTTP from the URL embedded in the CDP extension:
  • Standalone CA — served from the OCSP server: http://<OCSP-server-IP>/CertEnroll/<CAName>.crl
  • Enterprise CA — served from the CA server: http://<CA-server-IP>/CertEnroll/<CAName>.crl
Open the URL in a browser, or run from the OCSP server:
Invoke-WebRequest -Uri "http://<CRL-host-IP>/CertEnroll/<CAName>.crl" -UseBasicParsing
Invoke-WebRequest -Uri "http://<CRL-host-IP>/CertEnroll/<CAName>+.crl" -UseBasicParsing
Both the base CRL and the delta CRL (+.crl) should show StatusCode : 200. If the base CRL returns 200 but the delta returns 404, the IIS site hosting the CRL needs double-escaping enabled so it can serve the + in the delta filename — see “Serve the CRL via IIS (Enterprise CA)” on the Configure CA Server page. For a Standalone CA serving the CRL from the OCSP server, apply the same allowDoubleEscaping change to that server’s CertEnroll virtual directory.