> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure IIS

> Verify IIS configuration on the OCSP and CA servers after the Online Responder role is installed.

Instructions for verifying IIS configuration after the Online Responder role is installed.

<Note>
  IIS is configured on both servers, but they host different virtual directories:

  * **OCSP server** — `ocsp` (created automatically when the Online Responder role is
    configured). On a **Standalone CA**, the OCSP server also hosts `CertEnroll` (created
    manually in Configure Online Responder, Step 2).
  * **CA server** — `CertEnroll` (created manually for an **Enterprise CA** in Configure CA
    Server for OCSP, "Serve the CRL via IIS").
</Note>

### Verify IIS on the OCSP Server

<Steps>
  <Step>
    Select **Start** > **Windows Administrative Tools** > **Internet Information Services (IIS)
    Manager**.
  </Step>

  <Step>
    In the **Connections** pane on the left, expand the server node and select **Sites** >
    **Default Web Site**.

    Verify that the following are listed under **Default Web Site**:

    * **ocsp** — present on both CA types.
    * **CertEnroll** — present on a **Standalone CA** OCSP server only.

    <Note>
      If the **ocsp** virtual directory is not present, re-run the AD CS Configuration Wizard via
      the Server Manager notification flag and configure the **Online Responder** role service.
      For a Standalone CA, if **CertEnroll** is not present, refer to Step 2 of the Configure
      Online Responder page.
    </Note>
  </Step>

  <Step>
    In the **Connections** pane, select **Default Web Site**. In the **Actions** pane on the
    right, select **Bindings...**.

    Verify that an HTTP binding exists on port **80**. The Online Responder uses HTTP (not
    HTTPS) for OCSP requests.

    <Note>
      The OCSP protocol communicates over HTTP on port 80 by default. Do not change this to
      HTTPS unless your environment specifically requires it and your clients are configured
      accordingly.
    </Note>
  </Step>

  <Step>
    Select **\[ Close ]** to close the **Site Bindings** window.
  </Step>
</Steps>

### Verify the CRL is Reachable

<Steps>
  <Step>
    Confirm the CRL is accessible over HTTP from the URL embedded in the CDP extension:

    * **Standalone CA** — served from the OCSP server:
      `http://<OCSP-server-IP>/CertEnroll/<CAName>.crl`
    * **Enterprise CA** — served from the CA server:
      `http://<CA-server-IP>/CertEnroll/<CAName>.crl`

    Open the URL in a browser, or run from the OCSP server:

    ```powershell theme={null}
    Invoke-WebRequest -Uri "http://<CRL-host-IP>/CertEnroll/<CAName>.crl" -UseBasicParsing
    Invoke-WebRequest -Uri "http://<CRL-host-IP>/CertEnroll/<CAName>+.crl" -UseBasicParsing
    ```

    <Check>
      Both the base CRL and the delta CRL (`+.crl`) should show `StatusCode : 200`. If the base
      CRL returns 200 but the delta returns 404, the IIS site hosting the CRL needs
      double-escaping enabled so it can serve the `+` in the delta filename — see "Serve the CRL
      via IIS (Enterprise CA)" on the Configure CA Server page. For a Standalone CA serving the
      CRL from the OCSP server, apply the same `allowDoubleEscaping` change to that server's
      `CertEnroll` virtual directory.
    </Check>
  </Step>
</Steps>
