Microsoft best practices OCSP enroll/autoenroll

method115method115 Member Posts: 85 ■■□□□□□□□□
I've heard that you should not have autoenroll enabled for OCSP and I've also heard you should. Anyone know which MS would prefer?

Comments

  • KrunchiKrunchi Member Posts: 237
    According to Technet Setting Up Online Responder Services in a Network auto enroll needs to be on in order for it function. I have no real world experience in OCSP just book and cert theory so take it with a grain of salt.
    Certifications: A+,Net+,MCTS-620,640,642,643,659,MCITP-622,623,646,647,MCSE-246
  • method115method115 Member Posts: 85 ■■□□□□□□□□
    Krunchi wrote: »
    According to Technet Setting Up Online Responder Services in a Network auto enroll needs to be on in order for it function. I have no real world experience in OCSP just book and cert theory so take it with a grain of salt.

    Well if technet says it then I'll take that as the answer. I'll lab it myself to see if thats true though. Pretty sure in the CBT nuggets video he did it without autoenroll on and even explained some issues that can occur if autoenroll is checked when issuing the cert.
  • EveryoneEveryone Member Posts: 1,661
    Depends on the type of cert and what the cert is being used for. Autoenroll doesn't really have anything to do with an OCSP. You could have some certs that are autoenroll and some that require manual enrollment, and both will work with an OCSP.
  • EveryoneEveryone Member Posts: 1,661
    Here very good read on implementing an OCSP: Implementing an OCSP responder: Part I - Introducing OCSP - Ask the Directory Services Team - Site Home - TechNet Blogs

    Been many many many years since I had to do any of this stuff, have fun. ;)
  • method115method115 Member Posts: 85 ■■□□□□□□□□
    Everyone wrote: »
    Depends on the type of cert and what the cert is being used for. Autoenroll doesn't really have anything to do with an OCSP. You could have some certs that are autoenroll and some that require manual enrollment, and both will work with an OCSP.

    Sorry I don't mean any cert I mean specifically the OCSP cert that you issue to your OCSP servers. On the CBT nuggets video he says enabling autoenroll can cause some sort of issue with your certs.
  • EveryoneEveryone Member Posts: 1,661
    method115 wrote: »
    Sorry I don't mean any cert I mean specifically the OCSP cert that you issue to your OCSP servers. On the CBT nuggets video he says enabling autoenroll can cause some sort of issue with your certs.

    From part 3 of the series I linked to:
    If you wish to automatically enroll for the OCSP Response Signing Certificate, make sure the Auto-Enroll for an OCSP signing certificate is checked.

    Key words here "If you wish to".

    There's a little more work to do if you chose to do it manually, and you will have to remember to renew it before it expires.
Sign In or Register to comment.