An Online Responder can make revocation information available from multiple certification authorities (CAs) and multiple CA certificates. However, each CA and CA certificate served by an Online Responder requires a separate revocation configuration.
A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued by using a specific CA key. These configuration settings include the following:
- CA certificate. This certificate can
be located in Active Directory Domain Services (AD DS), in the
local certificate store, or imported from a file.
- Signing certificate for the Online
Responder. This signing certificate can be selected
automatically for you, selected manually (which involves a separate
import step after you add the revocation configuration), or you can
use the selected CA certificate to also serve as the signing
certificate.
- Revocation provider. The revocation
provider will provide the revocation data used by this
configuration. For a Windows Server 2008 R2 or Windows
Server 2008 provider, this information is entered as one or
more URLs where valid base CRLs and delta CRLs can be obtained.
Before you begin to add a new revocation configuration, make sure you have the information in the preceding list available.
You must have Manage Online Responder permissions on all of the Online Responders in the Array to complete this procedure. For more information about administering a public key infrastructure, see Implement Role-Based Administration.
To add a revocation configuration to an Online Responder |
-
Open the Online Responder snap-in.
-
In the console tree, click Revocation Configuration.
A list of existing revocation configurations appears in the details pane.
-
In the Actions pane, click Add Revocation Configuration to start the Add Revocation Configuration Wizard.
-
Provide the information requested in the wizard.
- For information about the Select CA
Certificate Location page, see Revocation Configuration
CA Certificates.
- For information about the Select Signing
Certificate page, see Revocation Configuration
Signing Certificates.
- For information about the Select CA
Certificate Location page, see Revocation Configuration
CA Certificates.
-
When all the information has been entered, click Finish, and then click Yes to complete the setup process.
You can modify the properties of an existing revocation configuration, view its CA certificate, or delete the revocation configuration, by selecting the revocation configuration and clicking Edit Properties in the Actions pane.
The following properties of a revocation configuration can be modified:
- Local CRL. For more information, see
Manage Revocation Data Using Local CRLs.
- Revocation provider. For more
information, see Revocation Provider
Properties.
- Signing. For more information, see
Revocation
Provider Signing.