Microsoft best practices OCSP enroll/autoenroll
method115
Member Posts: 85 ■■□□□□□□□□
I've heard that you should not have autoenroll enabled for OCSP and I've also heard you should. Anyone know which MS would prefer?
Comments
-
Krunchi Member Posts: 237According to Technet Setting Up Online Responder Services in a Network auto enroll needs to be on in order for it function. I have no real world experience in OCSP just book and cert theory so take it with a grain of salt.Certifications: A+,Net+,MCTS-620,640,642,643,659,MCITP-622,623,646,647,MCSE-246
-
method115 Member Posts: 85 ■■□□□□□□□□According to Technet Setting Up Online Responder Services in a Network auto enroll needs to be on in order for it function. I have no real world experience in OCSP just book and cert theory so take it with a grain of salt.
Well if technet says it then I'll take that as the answer. I'll lab it myself to see if thats true though. Pretty sure in the CBT nuggets video he did it without autoenroll on and even explained some issues that can occur if autoenroll is checked when issuing the cert. -
Everyone Member Posts: 1,661Depends on the type of cert and what the cert is being used for. Autoenroll doesn't really have anything to do with an OCSP. You could have some certs that are autoenroll and some that require manual enrollment, and both will work with an OCSP.
-
Everyone Member Posts: 1,661Here very good read on implementing an OCSP: Implementing an OCSP responder: Part I - Introducing OCSP - Ask the Directory Services Team - Site Home - TechNet Blogs
Been many many many years since I had to do any of this stuff, have fun. -
method115 Member Posts: 85 ■■□□□□□□□□Depends on the type of cert and what the cert is being used for. Autoenroll doesn't really have anything to do with an OCSP. You could have some certs that are autoenroll and some that require manual enrollment, and both will work with an OCSP.
Sorry I don't mean any cert I mean specifically the OCSP cert that you issue to your OCSP servers. On the CBT nuggets video he says enabling autoenroll can cause some sort of issue with your certs. -
Everyone Member Posts: 1,661Sorry I don't mean any cert I mean specifically the OCSP cert that you issue to your OCSP servers. On the CBT nuggets video he says enabling autoenroll can cause some sort of issue with your certs.
From part 3 of the series I linked to:If you wish to automatically enroll for the OCSP Response Signing Certificate, make sure the Auto-Enroll for an OCSP signing certificate is checked.
Key words here "If you wish to".
There's a little more work to do if you chose to do it manually, and you will have to remember to renew it before it expires.