First, it is necessary to prepare a template to enroll OCSP servers for a certificate which uses the Utimaco CryptoServer.
-
Open the command prompt and run the
certtmpl.msccommand. -
Right-click the OCSP Response Signing template and click Duplicate Template.
-
Selectthe appropriate Windows version under Certificate Authority and Certificate Recipient drop-down box under Compatibility Settings.
-
Click OK.
"Compatibility Tab" Window
-
In the Resulting Changes menu, click OK.
-
Go to the General tab and enter a name for the template.
-
Select the Subject Name tab.
"Subject Name Tab" Window
-
Uncheck the Include e-mail name in subject name checkbox.
-
Uncheck the E-mail name checkbox.
-
In the Request Handling tab, select the Purpose as Signature from the drop-down list. Select Authorize additional service accounts to access the private key checkbox.
"Request Handling" Window
If you are using smartcard authentication, the prompt will appear on the PIN Pad device to insert the smartcard and enter the PIN. Then, press the OK button on the PIN Pad.
-
Go to the Cryptography tab, select Key Storage provider in the Provider category, then select Algorithm name, then Key Size. Check the radio button for Request must use one of the following providers, then selectthe radio button for Utimaco CryptoServer Key storage provider, and select the appropriate Hash Value.
"Cryptography Tab" Window
-
Go to the Security Tab. Add the Computer Account and give Read, Write and Enroll permissions. Ensure Domain Admins and Enterprise Admins have Enroll Permissions.
-
Click Apply and then click OK.
-
Open the command prompt and run the
certsrv.msccommand.
"Certificate Authority" Window
-
Right-click the Certificate Templates node.
-
Select New, then select Certificate Template to Issue.
-
Select a new template for OCSP Response Signing, and click OK.
"Certificate Authority" Window