The OCSP tab is used by administrators to add Online Certificate Status Protocol (OCSP) responder URLs to issuing certification authority (CA) certificates, which are distributed by Group Policy to Active Directory domain members. This enables organizations to add OCSP responders to an existing public key infrastructure (PKI) without reissuing the CA certificate or any certificates previously issued by the CA. OCSP responder URLs provided in this way are used to verify certificate revocation status of certificates issued by the CA.

Enterprise Admins is the minimum group membership required to complete this procedure.

To add an OCSP responder URL to a CA certificate
  1. Click Start, and then click Run. Type gpmc.msc, and click OK to open the Group Policy Management Console (GPMC).

  2. In the console tree, expand the forest and domain containing the policy that you want to edit, and then click Group Policy Objects.

  3. Right-click the policy that you want to edit, and then click Edit.

  4. In the console tree, under Computer Configuration, expand Policies, Windows Settings, Security Settings, Public Key Policies, and Intermediate Certification Authorities.

  5. If no CA certificates are displayed, export the CA certificate from the issuing CA, and import the certificate into Intermediate Certification Authorities. See Exportar um Certificado.

  6. Right-click the CA certificate, click Properties, and then click the OCSP tab.

  7. Type an OCSP responder URL, and click Add URL.

  8. If you want to prevent domain members from downloading CRLs from CRL distribution point locations specified in issued certificates, select the Disable Certificate Revocation List (CRL) check box.

    Cuidado

    Disabling CRLs is not recommended. OCSP takes precedence over CRLs when URLs for both are provided. However, the revocation checking process determines when downloading and caching a single CRL is more efficient than multiple OCSP requests.

  9. Click OK to save changes.

Observação

Changes in Group Policy are applied by domain members periodically based on the Group Policy refresh interval, during computer startup, and during user logon. The default refresh interval is 90 minutes. To immediately refresh Group Policy on a domain member, run the Gpupdate command.

Additional references


Sumário