Appendix A: Managing OCSP Settings with Group Policy

  • Article

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Windows Server 2008 adds several new Group Policy settings for managing revocation checking for computers running Windows Vista SP1 and Windows Server 2008.

These new management settings include:

  • Adding OCSP responder URLs without reissuing certificates.

  • Changing the default revocation checking behavior.

  • Changing path validation settings.

Add OCSP Checking without Reissuing Certificates

After a certificate is issued, you cannot edit the authority information access extension to include an OCSP Responder URL for revocation checking. If you have issued many certificates, you may be unable to reissue all of the certificates to include the new OCSP URL in the authority information access extension.

Group Policy lets you add an OCSP URL for a specific root CA or subordinate CA certificate. If you set this policy on a computer that is running Windows Vista or Windows Server 2008 and an application (such as Microsoft Outlook) that uses the OCSP Responder URL crashes, install the hotfix in article 982416 (https://go.microsoft.com/fwlink/?LinkID=196889) in the Microsoft Knowledge Base.

To designate an OCSP Responder for an existing CA certificate

  1. Log on to a domain controller running Windows Server 2008 (or a computer running Windows Server 2008 with the Group Policy Management feature enabled) with a user account that can edit the certificate properties.

  2. Click Start, click Administrative Tools, and then click Group Policy Management Editor.

  3. In the console tree, expand Forest:ForestName, expand Domains, and then click Domain.

  4. In the details pane, right-click Default Domain Policy, and then click Edit.

Note

You can choose to implement the OCSP responder settings in any GPO.

  1. In the Group Policy Management Editor, in the console tree, expand Default Domain Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.

    • If you are adding a Root CA certificate, right-click Trusted Root Certification Authorities, and then click Import.

    • If you are adding a subordinate CA certificate, right-click Intermediate Certification Authorities, and then click Import.

  2. In the Certificate Import Wizard, click Next.

  3. On the File to Import page, in the File name box, type the full path of the new root or subordinate CA certificate, and then click Next.

  4. On the Certificate Store page, click Next.

  5. On the Completing the Certificate Import Wizard page, click Finish.

  6. In the Certificate Import Wizard message box, click OK.

  7. In the details pane, right-click the newly imported certificate, and then click Properties.

  8. In the CANameProperties dialog box, on the OCSP tab, you can define the following options:

    • Disable CRLs.

    • Add a custom OCSP responder URL.

  9. In the CANameProperties dialog box, click OK.

  10. Close the Group Policy Management Editor.

  11. Close the Group Policy Management console.

Changing the Default Revocation Checking Behavior

Group Policy lets you change the default revocation checking behavior for computers running Windows Vista and Windows Server 2008. You can choose to change the default preference of OCSP revocation checking over CRL checking. In addition, you can extend the validity period of OCSP responses and CRLs if there is a CA failure.

Note

As mentioned earlier, the default behavior is to use OCSP for revocation checking instead of CRLs if both methods are available in a certificate presented for validation.

To change the default revocation checking behavior

  1. Log on to a domain controller running Windows Server 2008 (or a computer running Windows Server 2008 with the Group Policy Management feature enabled) with a user account that can edit the snap-in that contains the revocation checking settings.

  2. Click Start, click Administrative Tools, and then click Group Policy Management Editor.

  3. In the console tree, expand Forest:ForestName, expand Domains, and then click Domain.

  4. In the details pane, right-click Default Domain Policy, and then click Edit.

  5. In the Group Policy Management Editor, in the console tree, expand Default Domain Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.

  6. In the details pane, double-click Certificate Path Validation Settings.

  7. In the Certificate Path Validation Settings Properties dialog box, on the Revocation tab, you can define the following options:

    • Always prefer Certificate Revocation Lists over Online Certificate Status Protocol (OCSP) responses (not recommended).

    • Allow CRL and OCSP responses to be valid longer than their lifetime (not recommended).

  8. In the Certificate Path Validation Settings Properties dialog box, click OK.

  9. Close the Group Policy Management Editor.

  10. Close the Group Policy Management console.

Changing Path Validation Settings

Group Policy also lets you change the default settings for the building and validation of certificate chains. Group Policy lets you define:

  • Time-outs for downloading CA certificate and CRLs from designated URLs.

  • Time intervals in downloading of Cross-Certification Authority certificates.

In addition, you can enable or disable the update of certificates in the Microsoft Root Certificate Program and enable the retrieval of issuing CA certificates by using the authority information access extension during path validation.

To change the default revocation checking behavior

  1. Log on to a domain controller running Windows Server 2008 (or a computer running Windows Server 2008 with the Group Policy Management feature enabled) with a user account that can edit the Certificate Path Validation Settings snap-in.

  2. Click Start, click Administrative Tools, and then click Group Policy Management Editor.

  3. In the console tree, expand Forest:ForestName, expand Domains, and then click Domain.

  4. In the details pane, right-click Default Domain Policy, and then click Edit.

  5. In the Group Policy Management Editor, in the console tree, expand Default Domain Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.

  6. In the details pane, double-click Certificate Path Validation Settings.

  7. In the Certificate Path Validation Settings Properties dialog box, on the Network Retrieval tab (see Figure 6), you can define the following options:

    • Automatically update certificates in the Microsoft Root Certificate Program (recommended)

    • Default URL retrieval timeout (in seconds): Default = 15

    • Default path validation cumulative retrieval timeout (in seconds): Default = 20

    • Allow issuer certificate (AIA) retrieval during path validation (recommended)

    • Cross-certificates download interval (in hours): Default = 168

  8. In the Certificate Path Validation Settings Properties dialog box, click OK.

  9. Close the Group Policy Management Editor.

  10. Close the Group Policy Management console.

See Also

Other Resources

Online Responder Installation, Configuration, and Troubleshooting Guide