An Online Responder can make revocation information available from multiple certification authorities (CAs) and multiple CA certificates. However, each CA and CA certificate served by an Online Responder requires a separate revocation configuration.
A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued by using a specific CA key. These configuration settings include the following:
-
CA certificate. This certificate can be located in Active Directory Domain Services (AD DS), in the local certificate store, or imported from a file.
-
Signing certificate for the Online Responder. This signing certificate can be selected automatically for you, selected manually (which involves a separate import step after you add the revocation configuration), or you can use the selected CA certificate to also serve as the signing certificate.
-
Revocation provider. The revocation provider will provide the revocation data used by this configuration. For a Windows Server 2008 R2 or Windows Server 2008 provider, this information is entered as one or more URLs where valid base CRLs and delta CRLs can be obtained.
Before you begin to add a new revocation configuration, make sure you have the information in the preceding list available.
You must have Manage Online Responder permissions on all of the Online Responders in the Array to complete this procedure. For more information about administering a public key infrastructure, see Implement Role-Based Administration.
To add a revocation configuration to an Online Responder |
Open the Online Responder snap-in.
In the console tree, click Revocation Configuration.
A list of existing revocation configurations appears in the details pane.
In the Actions pane, click Add Revocation Configuration to start the Add Revocation Configuration Wizard.
Provide the information requested in the wizard.
-
For information about the Select CA Certificate Location page, see Revocation Configuration CA Certificates.
-
For information about the Select Signing Certificate page, see Revocation Configuration Signing Certificates.
-
For information about the Select CA Certificate Location page, see Revocation Configuration CA Certificates.
When all the information has been entered, click Finish, and then click Yes to complete the setup process.
You can modify the properties of an existing revocation configuration, view its CA certificate, or delete the revocation configuration, by selecting the revocation configuration and clicking Edit Properties in the Actions pane.
The following properties of a revocation configuration can be modified:
-
Local CRL. For more information, see Manage Revocation Data by Using Local CRLs.
-
Revocation provider. For more information, see Revocation Provider Properties.
-
Signing. For more information, see Revocation Provider Signing.