Microsoft best practices OCSP enroll/autoenroll

I've heard that you should not have autoenroll enabled for OCSP and I've also heard you should. Anyone know which MS would prefer?

Find more posts tagged with

Comments

Krunchi

According to Technet Setting Up Online Responder Services in a Network auto enroll needs to be on in order for it function. I have no real world experience in OCSP just book and cert theory so take it with a grain of salt.

method115

Krunchi wrote: »

According to Technet Setting Up Online Responder Services in a Network auto enroll needs to be on in order for it function. I have no real world experience in OCSP just book and cert theory so take it with a grain of salt.

Well if technet says it then I'll take that as the answer. I'll lab it myself to see if thats true though. Pretty sure in the CBT nuggets video he did it without autoenroll on and even explained some issues that can occur if autoenroll is checked when issuing the cert.

Everyone

Depends on the type of cert and what the cert is being used for. Autoenroll doesn't really have anything to do with an OCSP. You could have some certs that are autoenroll and some that require manual enrollment, and both will work with an OCSP.

Everyone

Here very good read on implementing an OCSP: Implementing an OCSP responder: Part I - Introducing OCSP - Ask the Directory Services Team - Site Home - TechNet Blogs

Been many many many years since I had to do any of this stuff, have fun.

method115

Everyone wrote: »

Depends on the type of cert and what the cert is being used for. Autoenroll doesn't really have anything to do with an OCSP. You could have some certs that are autoenroll and some that require manual enrollment, and both will work with an OCSP.

Sorry I don't mean any cert I mean specifically the OCSP cert that you issue to your OCSP servers. On the CBT nuggets video he says enabling autoenroll can cause some sort of issue with your certs.

Everyone

method115 wrote: »

Sorry I don't mean any cert I mean specifically the OCSP cert that you issue to your OCSP servers. On the CBT nuggets video he says enabling autoenroll can cause some sort of issue with your certs.

From part 3 of the series I linked to:

If you wish to automatically enroll for the OCSP Response Signing Certificate, make sure the Auto-Enroll for an OCSP signing certificate is checked.

Key words here "If you wish to".

There's a little more work to do if you chose to do it manually, and you will have to remember to renew it before it expires.