How to Set Up OCSP Responder on Windows Server 2012 R2

How to Set Up OCSP Responder on Windows Server 2012 R2

The Online Certificate Status Protocol (OCSP) is the modern alternative to Certificate Revocation Lists (CRLs) for checking whether a digital certificate has been revoked. While CRLs are downloaded in their entirety and can grow to megabytes in size for large PKIs, OCSP allows clients to query the revocation status of a single specific certificate in real-time, receiving a signed response in milliseconds. Windows Server 2012 R2 includes an OCSP Responder role service within Active Directory Certificate Services (AD CS) that queries the CA’s certificate database and returns signed revocation responses. This guide covers deploying and integrating OCSP with an existing Enterprise CA.

Prerequisites

– Windows Server 2012 R2 with AD CS role installed
– An existing Enterprise CA (Corp-Issuing-CA-01)
– IIS Web Server role (OCSP Responder uses an IIS endpoint)
– An OCSP signing certificate template published on the CA
– DNS entry for the OCSP URL (e.g., pki.corp.local/ocsp)
– Network Access from PKI clients to the OCSP server on port 80 or 443
– Enterprise Admin or PKI Admin rights

Step 1: Install the OCSP Responder Role Service

# Install the Online Responder role service
Install-WindowsFeature -Name ADCS-Online-Cert -IncludeManagementTools

# Also ensure IIS is installed (required for OCSP HTTP endpoint)
Install-WindowsFeature -Name Web-Server, Web-Mgmt-Tools `
    -IncludeManagementTools -IncludeAllSubFeature

# Install the role
Install-AdcsOnlineResponder -Force

# Verify installation
Get-WindowsFeature ADCS-Online-Cert | Select-Object DisplayName, Installed
Get-Service OcsP | Select-Object Status, StartType

Step 2: Configure the OCSP Signing Certificate Template

The OCSP Responder needs a certificate specifically for signing OCSP responses. This certificate must be issued by the same CA it answers queries for:

# Create the OCSP Response Signing template
# This is done in Certificate Templates MMC (certtmpl.msc)
# Steps:
# 1. Duplicate the "OCSP Response Signing" built-in template
# 2. Name it "CorpOCSPSigning"
# 3. Validity: 1 year (short validity improves security)
# 4. Subject: Build from Active Directory
# 5. Extensions: OCSP No Revocation Check (critical) — this is already set
# 6. Security: Add the OCSP server computer account with Read, Enroll, Autoenroll
# 7. Issuance Requirements: No manager approval, auto-enroll

# Publish the template on the Issuing CA
Import-Module ADCSAdministration
Add-CATemplate -Name "CorpOCSPSigning" -Force
Write-Host "OCSP signing template published"

# The OCSP server will auto-enroll for this certificate
# Trigger auto-enrollment on the OCSP server
gpupdate /force
certutil -pulse

# Verify the OCSP signing cert was issued
Get-ChildItem Cert:LocalMachineMy | 
    Where-Object { $_.EnhancedKeyUsageList.FriendlyName -contains "OCSP Signing" } |
    Select-Object Subject, NotBefore, NotAfter, Thumbprint | Format-Table -AutoSize

Step 3: Configure the OCSP Revocation Configuration

A Revocation Configuration maps the OCSP Responder to a specific CA. For each CA in your PKI, you create one revocation configuration on the OCSP Responder:

# Configure OCSP via the Online Responder MMC (ocsp.msc) or command line
# Command line configuration using certutil

# Get the CA's certificate thumbprint
$caCert = Get-ChildItem Cert:LocalMachineCA | 
    Where-Object { $_.Subject -like "*Corp-Issuing-CA-01*" } | 
    Select-Object -First 1
Write-Host "CA Cert Thumbprint: $($caCert.Thumbprint)"

# Create OCSP revocation configuration
# This is the configuration that links the responder to the CA
certutil -addOCSPConfig `
    "CorpIssuingCA01" `
    "Corp-Issuing-CA-01Corp-Issuing-CA-01" `
    "$($caCert.Thumbprint)"

# Alternatively, configure via the Online Responder MMC snap-in:
# 1. Open ocsp.msc
# 2. Revocation Configuration > Add Revocation Configuration
# 3. Name: Corp-Issuing-CA-01
# 4. Select CA certificate from AD (choose from Trusted CA store)
# 5. Auto-register an OCSP signing certificate
# 6. Configure the revocation provider:
#    - CA type: Enterprise CA
#    - Connection: Select the CA from AD
#    - Signing Certificate: Auto-enroll from "CorpOCSPSigning" template

Write-Host "OCSP revocation configuration created"

Step 4: Update the CA to Include OCSP AIA Extension

Certificates issued by the CA must include the OCSP URL in their Authority Information Access (AIA) extension so clients know where to send OCSP queries:

# Add the OCSP AIA to the Issuing CA
# This must be done on the Issuing CA itself

Get-CAAuthorityInformationAccess | Format-Table Uri, AddToCertificateOcsp

# Remove existing AIA entries and re-add with OCSP
Get-CAAuthorityInformationAccess | Remove-CAAuthorityInformationAccess

# Add CA certificate AIA (for chain building)
Add-CAAuthorityInformationAccess `
    -Uri "http://pki.corp.local/CertEnroll/%1_%3%4.crt" `
    -AddToCertificateAia

# Add OCSP AIA (tells clients where to check revocation)
Add-CAAuthorityInformationAccess `
    -Uri "http://pki.corp.local/ocsp" `
    -AddToCertificateOcsp

# Verify the AIA configuration
Get-CAAuthorityInformationAccess | Format-Table Uri, AddToCertificateAia, AddToCertificateOcsp

# Restart the CA to apply the change
Restart-Service CertSvc
Write-Host "AIA updated. New certificates will include OCSP URL."
Write-Host "Note: Existing certificates will NOT be updated — they must be reissued."

Step 5: Configure IIS for OCSP HTTP Endpoint

# Verify the OCSP virtual directory in IIS
Import-Module WebAdministration

# The OCSP role creates a virtual application "ocsp" under the Default Web Site
Get-WebApplication -Name "ocsp" | Format-List *

# Verify the OCSP endpoint is responding
$ocspUrl = "http://pki.corp.local/ocsp"
try {
    $response = Invoke-WebRequest -Uri $ocspUrl -UseBasicParsing -Method Get
    Write-Host "OCSP endpoint status: $($response.StatusCode)"
} catch {
    Write-Host "OCSP endpoint: $($_.Exception.Message)"
    # Status 400 (Bad Request) is normal for a GET request to OCSP — it expects a POST
}

# OCSP uses HTTP POST requests, not GET
# A 400 response to GET is actually correct behavior

# Configure IIS MIME types for OCSP (if needed)
Add-WebConfigurationProperty -PSPath "IIS:SitesDefault Web Siteocsp" `
    -Filter "system.webServer/staticContent" `
    -Name "." `
    -Value @{fileExtension=".ocsp"; mimeType="application/ocsp-response"}

Step 6: Test OCSP Responses

# Test OCSP using certutil
# First, get a certificate issued by the CA
$cert = Get-ChildItem Cert:LocalMachineMy | 
    Where-Object { $_.Issuer -like "*Corp-Issuing-CA-01*" } | 
    Select-Object -First 1

if ($cert) {
    # Export the cert for testing
    Export-Certificate -Cert $cert -FilePath "C:Temptest.cer" -Type CERT
    
    # Test OCSP status for this certificate
    certutil -verify -urlfetch "C:Temptest.cer"
    
    # Explicit OCSP test
    certutil -url "C:Temptest.cer"
    # In the URL Retrieval Tool, click "Retrieve" next to the OCSP URL
}

# Check OCSP using openssl if available
# openssl ocsp -issuer issuerca.crt -cert test.cer -url http://pki.corp.local/ocsp -resp_text

# PowerShell OCSP test
function Test-OCSPResponse {
    param([string]$CertPath, [string]$IssuerPath, [string]$OcspUrl)
    
    $cert   = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath)
    $issuer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($IssuerPath)
    
    Write-Host "Certificate: $($cert.Subject)"
    Write-Host "Issuer: $($cert.Issuer)"
    Write-Host "Serial: $($cert.SerialNumber)"
    Write-Host "OCSP URL: $OcspUrl"
    
    # Build OCSP request (simplified — real implementation needs CryptoAPI)
    # For full OCSP testing, use certutil -verify -urlfetch
    certutil -verify -urlfetch $CertPath
}

Step 7: Configure OCSP Proxy for Multi-CA Environments

# For environments with both a Root CA and Subordinate CA,
# configure OCSP Array (multiple OCSP responders for high availability)

# On a second OCSP server, configure it with the same revocation configurations
# Then configure the CA to use an array URL:
# http://ocsp1.corp.local/ocsp
# http://ocsp2.corp.local/ocsp

# Configure OCSP response caching
# OCSP responses are cached by default; adjust cache lifetime:
$responderConfig = "HKLM:SYSTEMCurrentControlSetServicesOcspSvcResponder"
Set-ItemProperty -Path $responderConfig `
    -Name "MaxNumOfCachedCertStatus" `
    -Value 10000 `
    -Type DWord

Set-ItemProperty -Path $responderConfig `
    -Name "CacheExpirationTime" `
    -Value 86400 `  # 24 hours in seconds
    -Type DWord

Restart-Service OcspSvc

# Check OCSP array configuration
Get-ItemProperty $responderConfig

Step 8: Monitor OCSP Health

# Monitor OCSP Responder health
Get-Service OcspSvc | Select-Object Status, StartType

# Check OCSP event logs
Get-WinEvent -LogName "Microsoft-Windows-OnlineResponder/Audit" -MaxEvents 20 |
    Format-Table TimeCreated, LevelDisplayName, Message -Wrap

# OCSP Responder operational log
Get-WinEvent -LogName "Microsoft-Windows-OnlineResponder/Operational" -MaxEvents 20 |
    Where-Object { $_.Level -le 3 } |
    Format-Table TimeCreated, LevelDisplayName, Message -Wrap

# Check the signing certificate is valid and not expired
$ocspSigningCert = Get-ChildItem Cert:LocalMachineMy | 
    Where-Object { $_.EnhancedKeyUsageList.FriendlyName -contains "OCSP Signing" }

foreach ($cert in $ocspSigningCert) {
    $daysUntilExpiry = ($cert.NotAfter - (Get-Date)).Days
    Write-Host "OCSP signing cert: $($cert.Subject)"
    Write-Host "Expires: $($cert.NotAfter) ($daysUntilExpiry days remaining)"
    if ($daysUntilExpiry -lt 30) {
        Write-Warning "OCSP signing certificate expiring soon! Renew immediately."
    }
}

# View revocation configuration status
certutil -config "localhost" -OCSPStatus

Verification

# Complete OCSP Responder verification
Write-Host "=== OCSP Responder Health Check ===" -ForegroundColor Cyan

# Service status
$svc = Get-Service OcspSvc
Write-Host "OCSP Service: $($svc.Status)" `
    -ForegroundColor $(if ($svc.Status -eq 'Running') {'Green'} else {'Red'})

# Signing certificate
$signingCert = Get-ChildItem Cert:LocalMachineMy | 
    Where-Object { $_.EnhancedKeyUsageList.FriendlyName -contains "OCSP Signing" } |
    Select-Object -First 1

if ($signingCert) {
    Write-Host "Signing Cert: $($signingCert.Subject)" -ForegroundColor Green
    Write-Host "Expires: $($signingCert.NotAfter)"
} else {
    Write-Host "Signing Cert: NOT FOUND" -ForegroundColor Red
}

# HTTP endpoint
$ocspUrl = "http://pki.corp.local/ocsp"
$testResult = certutil -verify -urlfetch "C:Temptest.cer" 2>&1
if ($testResult -match "OCSP.*OK") {
    Write-Host "OCSP Response: GOOD" -ForegroundColor Green
} else {
    Write-Host "OCSP test result: $($testResult | Select-String 'OCSP')" -ForegroundColor Yellow
}

# CA AIA configuration includes OCSP
Get-CAAuthorityInformationAccess | Where-Object { $_.AddToCertificateOcsp } |
    Select-Object Uri | Format-Table -AutoSize

Summary

An OCSP Responder on Windows Server 2012 R2 provides real-time certificate revocation checking that is faster and more efficient than traditional CRL downloads. By installing the Online Responder role service, configuring a dedicated OCSP signing certificate template with auto-enrollment, setting up revocation configurations that connect the responder to the Issuing CA, updating the CA’s AIA extension to include the OCSP URL in all newly issued certificates, and monitoring the signing certificate expiry, you deliver a complete revocation infrastructure that modern browsers, operating systems, and applications use to verify certificate validity before establishing trust. For high-availability PKI environments, deploying a second OCSP Responder and load-balancing the OCSP URL ensures continuous revocation checking even during maintenance.