Verify an Online Responder Installation

Applies To: Windows Server 2008, Windows Server 2012

After you have completed setting up an Online Responder, you can verify that it is functioning properly by confirming that you can autoenroll certificates, revoke certificates, and make accurate revocation data available from the Online Responder.

You must be a CA administrator to complete this procedure. For more information about administering a public key infrastructure (PKI), see Implement Role-Based Administration.

To verify that the Online Responder functions properly

1. On the certification authority (CA), configure several certificate templates to autoenroll certificates for a computer running Windows Vista or Windows XP Professional.

2. When information about the new certificates has been published to Active Directory domain controllers, open a command prompt on the client computer and enter the following command to start certificate autoenrollment:

   certutil -pulse

Note

It can take up to eight hours for information about new certificates to be replicated to Active Directory domain controllers.

3. On the client computer, use the Certificates snap-in to verify that the certificates have been issued to the user and to the computer, as appropriate. If they have not been issued, repeat step 2. You can also stop and restart the client computer to initiate certificate autoenrollment.

4. On the CA, use the Certification Authority snap-in to view and revoke one or more of the issued certificates by clicking Certification Authority (Computer)/CA name/Issued Certificates and selecting the certificate you want to revoke. On the Action menu, point to All Tasks, and then click Revoke Certificate. Select the reason for revoking the certificate, and click Yes.

5. In the Certification Authority snap-in, publish a new certificate revocation list (CRL) by clicking Certification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, on the Action menu, point to All Tasks, and then click Publish.

6. To remove all CRL distribution point extensions from the issuing CA, open the Certification Authority snap-in, and then select the CA. On the Action menu, click Properties.

7. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).

8. Click any CRL distribution points that are listed, click Remove, and click OK.

9. Stop and restart Active Directory Certificate Services (AD CS).

10. Repeat steps 1 and 2 above, and then verify that client computers can still obtain revocation data. To do this, use the Certificates snap-in to export the certificate to a .cer file. At a command prompt, type:

    certutil -url exportedcert.cer

11. In the Verify and Retrieve dialog box that appears, click the From CDP and From OCSP buttons and confirm that the revocation data is retrieved from the Online Responder and not from a CRL distribution point.

Additional references

• Setting Up Online Responder Services in a Network