Forum
http://technet.microsoft.com/en-us/library/cc753468.aspx
Setting Up Online Responder Services in a Network
Setting up Online Responder services involves several interrelated
steps. Several of these steps must be performed on the certification
authority (CA) that will be used to issue the Online Certificate Status
Protocol (OCSP) signing certificates necessary for an Online Responder
to function. These steps include configuring the appropriate
certificate template, enabling the certificate template, and
configuring and completing certificate autoenrollment so that the
computer hosting the Online Responder has the certificates needed for
the Online Responder to function.
Installation and
configuration of an Online Responder involves using Server Manager to
install the Online Responder service, the Certificate Templates snap-in
to configure and publish OCSP Response Signing certificate templates,
the Certification Authority snap-in to include OCSP extensions in the
certificates that it will issue and to issue OCSP Response Signing
certificates, and the Online Responder snap-in to create a revocation
configuration.
The following topics describe the steps needed to
complete these installation and configuration steps and how to verify
that the installation was successful.
- Configure a CA to Support OCSP Responders
- Set Up an Online Responder
- Creating a Revocation Configuration
- Verify an Online Responder Installation
http://technet.microsoft.com/en-us/library/cc774575.aspx
AD CS Online Responder
The Microsoft Online
Responder service makes it possible to configure and manage Online
Certificate Status Protocol (OCSP) validation and revocation checking
in Windows-based networks. The Online Responder snap-in allows you to
configure and manage revocation configurations and Online Responder
Arrays to support public key infrastructure (PKI) clients in diverse
environments.
Aspects
The following is a list of all aspects that are part of this managed entity:
Name | Description |
---|---|
The |
Related Management Information
Active Directory Certificate Services
Updated: November 27, 2007
The
status and functioning of the Microsoft Online Responder service has
dependencies on numerous features and components, including the
ability to access timely certificate revocation data, the validity of
the certification authority (CA) certificate and chain, and overall
system response and availability.
Events
Event ID | Source | Message |
---|---|---|
Microsoft-Windows-OnlineResponderRevocationProvider |
For configuration %1, the Online Responder revocation provider failed to update CRL information: %2. | |
Microsoft-Windows-OnlineResponderRevocationProvider |
For configuration %1, the Online Responder revocation provider either has no CRL information or has outdated CRL information. | |
Microsoft-Windows-OnlineResponderWebProxy |
The Online Responder ISAPI extension failed to Initialize. %1 | |
Microsoft-Windows-OnlineResponder |
OCSP Responder Services was started. | |
Microsoft-Windows-OnlineResponderRevocationProvider |
For configuration %1, the Online Responder revocation provider found a delta CRL that refers to a newer base CRL. | |
Microsoft-Windows-OnlineResponder |
The Online Responder Service was stopped. | |
Microsoft-Windows-OnlineResponderWebProxy |
OCSP ISAPI Extension was loaded. | |
Microsoft-Windows-OnlineResponderWebProxy |
The Online Responder ISAPI extension was stopped. | |
Microsoft-Windows-OnlineResponder |
The Online Responder Service did not start because a safe boot was detected. | |
Microsoft-Windows-OnlineResponder |
The Online Responder Service did not start: %1. | |
Microsoft-Windows-OnlineResponderWebProxy |
The Online Responder Service detected an invalid configuration for the %1 property. The value was changed from %2 to %3. | |
Microsoft-Windows-OnlineResponder |
%1: The Online Responder Service detected an exception at address %2. Flags = %3. The exception is %4. | |
Microsoft-Windows-OnlineResponder |
The Online Responder Services did not process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize property for the service. Unless verbose logging is enabled, this error will not be logged again for 20 minutes. |
|
Microsoft-Windows-OnlineResponder |
Online Responder Service: For configuration %1, could not locate signing certificate.(%2) | |
Microsoft-Windows-OnlineResponder |
Online Responder Services: For revocation configuration %1, the signing certificate is going to expire soon. | |
Microsoft-Windows-OnlineResponder |
Online Responder Service: For configuration %1, the signing certificate has expired. Any OCSP request for this configuration will be rejected. |
|
Microsoft-Windows-OnlineResponder |
Online Responder Services: For configuration %1, the signing certificate was not updated.(%2) | |
Microsoft-Windows-OnlineResponder |
OnlineResponder Service: For configuration %1, settings could not be loaded. Any OCSP request for this configuration will be rejected.(%2) |
|
Microsoft-Windows-OnlineResponder |
Online Responder Service: Could not initialize performance counters. | |
Microsoft-Windows-OnlineResponder |
Online Responder Service: For configuration %1, failed to create an enrollment request for the signing certificate template %2.(%3) |
|
Microsoft-Windows-OnlineResponder |
Online Responder Service: For configuration %1, an error occurred while submitting the enrollment request to the certification authority %2.%3(%4) |
|
Microsoft-Windows-OnlineResponder |
Online Responder Service: For configuration %1, failed to install the enrollment response for the signing certificate template %2.%3(%4) |