Options

Microsoft best practices OCSP enroll/autoenroll

method115method115 Member Posts: 85 ■■□□□□□□□□
in MCTS / MCITP on Windows 2008 General
I've heard that you should not have autoenroll enabled for OCSP and I've also heard you should. Anyone know which MS would prefer?
· Share on FacebookShare on Twitter

Comments

  • Options
    KrunchiKrunchi Member Posts: 237
    According to Technet Setting Up Online Responder Services in a Network auto enroll needs to be on in order for it function. I have no real world experience in OCSP just book and cert theory so take it with a grain of salt.
    Certifications: A+,Net+,MCTS-620,640,642,643,659,MCITP-622,623,646,647,MCSE-246
    · Share on FacebookShare on Twitter
  • Options
    method115method115 Member Posts: 85 ■■□□□□□□□□
    Krunchi wrote: »
    According to Technet Setting Up Online Responder Services in a Network auto enroll needs to be on in order for it function. I have no real world experience in OCSP just book and cert theory so take it with a grain of salt.

    Well if technet says it then I'll take that as the answer. I'll lab it myself to see if thats true though. Pretty sure in the CBT nuggets video he did it without autoenroll on and even explained some issues that can occur if autoenroll is checked when issuing the cert.
    · Share on FacebookShare on Twitter
  • Options
    EveryoneEveryone Member Posts: 1,661
    Depends on the type of cert and what the cert is being used for. Autoenroll doesn't really have anything to do with an OCSP. You could have some certs that are autoenroll and some that require manual enrollment, and both will work with an OCSP.
    www.fixtheexchange.com
    · Share on FacebookShare on Twitter
  • Options
    EveryoneEveryone Member Posts: 1,661
    Here very good read on implementing an OCSP: Implementing an OCSP responder: Part I - Introducing OCSP - Ask the Directory Services Team - Site Home - TechNet Blogs

    Been many many many years since I had to do any of this stuff, have fun. ;)
    www.fixtheexchange.com
    · Share on FacebookShare on Twitter
  • Options
    method115method115 Member Posts: 85 ■■□□□□□□□□
    Everyone wrote: »
    Depends on the type of cert and what the cert is being used for. Autoenroll doesn't really have anything to do with an OCSP. You could have some certs that are autoenroll and some that require manual enrollment, and both will work with an OCSP.

    Sorry I don't mean any cert I mean specifically the OCSP cert that you issue to your OCSP servers. On the CBT nuggets video he says enabling autoenroll can cause some sort of issue with your certs.
    · Share on FacebookShare on Twitter
  • Options
    EveryoneEveryone Member Posts: 1,661
    method115 wrote: »
    Sorry I don't mean any cert I mean specifically the OCSP cert that you issue to your OCSP servers. On the CBT nuggets video he says enabling autoenroll can cause some sort of issue with your certs.

    From part 3 of the series I linked to:
    If you wish to automatically enroll for the OCSP Response Signing Certificate, make sure the Auto-Enroll for an OCSP signing certificate is checked.

    Key words here "If you wish to".

    There's a little more work to do if you chose to do it manually, and you will have to remember to renew it before it expires.
    www.fixtheexchange.com
    · Share on FacebookShare on Twitter
Sign In or Register to comment.