After you have completed setting up an Online Responder, you can verify that it is functioning properly by confirming that you can autoenroll certificates, revoke certificates, and make accurate revocation data available from the Online Responder.
You must be a certification authority (CA) administrator to complete this procedure. For more information about administering a public key infrastructure (PKI), see Implement Role-Based Administration.
To verify that the Online Responder functions properly |
On the CA, configure several certificate templates for autoenrollment by computers and users.
After the new certificate templates have been published to Active Directory Domain Services (AD DS), open a command prompt on the client computer and enter the following command to start certificate autoenrollment:
certutil -pulse
Note It can take several hours for information about new certificates to be replicated to all domain controllers.
On the client computer, use the Certificates snap-in to verify that the new certificates have been issued. If they have not been issued, repeat step 2. You can also restart the client computer to start certificate autoenrollment.
On the CA, use the Certification Authority snap-in to view and revoke one or more of the issued certificates by clicking Certification Authority (Computer)\CA name\Issued Certificates and selecting the certificate you want to revoke. On the Action menu, point to All Tasks, and then click Revoke Certificate. Select the reason for revoking the certificate, and click Yes.
In the Certification Authority snap-in, publish a new certificate revocation list (CRL) by clicking Certification Authority (Computer)\CA name\Revoked Certificates in the console tree. Then, on the Action menu, point to All Tasks, and then click Publish.
On the client computer, use the Certificates snap-in to export one of the issued certificates and save it as an X.509 file.
Open a command prompt, and type the following command:
certutil –url <exportedcert.cer>
In the URL Retrieval Tool dialog box, select OCSP (from AIA), and then click Retrieve. After the CRL is retrieved, the status will display Verified.