Configure Active Directory Certificate Services

These questions are based on 70-640 – TS: Windows Server 2008 Active Directory, Configuring
Self Test Software Practice Test


Objective: Configure Active Directory certificate services.
Sub-objective: Manage certificate revocations.


Multiple answer, multiple-choice


You are the systems administrator for your company. The company’s network consists of a single Active Directory domain. You install Active Directory Certificate Services (AD CS) on a computer running Windows Server 2008. The AD CS server is configured as an enterprise certification authority (CA).


You want another computer to be an Online Responder to provide certification revocation data to clients. You install the IIS and the Online Responder service on a Windows Server 2008 server. You test the Online Responder, but the Online Responder fails. What must you do to ensure the Online Responder works correctly? (Choose two.)



  1. Add the Windows Server 2008 server to the Certificate Publishers group.
  2. Install Microsoft Simple Certificate Enrollment Protocol (MSCEP) on the server.
  3. Configure an Online Certificate Status Protocol (OCSP) Response Signing certificate template on the CA.
  4. Include the Uniform Resource Locator (URL) for the Online Responder in the Authority Information Access (AIA) extension of certificates issued by the CA.
  5. Lower the Publish Delta CRL and the Publish CRL Interval settings on the CA so expired certificates are published in Active Directory.

Answer:
C. Configure an Online Certificate Status Protocol (OCSP) Response Signing certificate template on the CA.


D. Include the Uniform Resource Locator (URL) for the Online Responder in the Authority Information Access (AIA) extension of certificates issued by the CA.


Tutorial:
You should do the following:



  • Configure an Online Certificate Status Protocol (OCSP) Response Signing certificate template on the CA.
  • Include the Uniform Resource Locator (URL) for the Online Responder in the Authority Information Access (AIA) extension of certificates issued by the CA.

The error is occurring because the CA has not been fully configured to support an Online Responder. Before configuring a CA to support the Online Responder service, you must ensure that the following conditions are met:



  • IIS must be installed on the computer before the Online Responder can be installed.
  • An OCSP Response Signing certificate template must be configured on the CA, and auto-enrollment must be used to issue an OCSP Response Signing certificate to the computer on which the Online Responder will be installed.
  • The URL for the Online Responder must be included in the AIA extension of certificates issued by the CA. This URL is used by the Online Responder client to validate certificate status.

You should not install the Microsoft Simple Certificate Enrollment Protocol (MSCEP). MSCEP, referred to in some documents as Network Device Enrollment Service (NDES), is the Microsoft implementation of SCEP that was developed by Cisco Systems Inc. to support the secure, scalable issuance of certificates to network devices by using existing CAs. MSCEP is a communication protocol that allows software running on network devices, such as routers and switches, to enroll for X.509 certificates from a CA. Installing MSCEP is not a requirement for configuring an Online Responder.


You should not add the Windows Server 2008 server to the Certificate Publishers group. Certificate Publishers is a global group that includes all computers that are running an enterprise certificate authority. Certificate publishers are authorized to publish certificates for user objects in Active Directory. Adding the Online Responder to the Certificate Publishers group will not allow the Online Responder to publish a CRL.


You do not have to change the Publish Delta CRL setting or the Publish CRL Interval setting on the CA. The Publish Delta CRL setting determines how often changes to the Certificate Revocation List (CRL) are published. CAs can have a lot of certificate revocations and will need to be downloaded by clients frequently. Clients can download the most current delta CRL that contains all the changes from the last base CRL that was published via the Publish CRL Interval setting. The base CRL can become very large. To minimize the frequent downloads of large CRLs, delta CRLs can be published, and clients can combine the downloaded delta CRL with the most current base CRL to create a complete list of revoked certificates. In this scenario, the error is occurring because the CA has not been fully configured to support an Online Responder.


Reference:
TechNet > Windows Server 2008 > AD CS: Online Certificate Status Protocol Support


Windows Server 2008 Technical Library > Active Directory Certificate Services > Getting Started > Installing, Configuring, and Troubleshooting the Microsoft Online Responder

Like what you see? Share it.Google+LinkedInFacebookRedditTwitterEmail
cmadmin

ABOUT THE AUTHOR

Posted in Archive|

Comment: