Make a Revocation Configuration

To use OCSP you have to create a new revocation configuration.

1. Launch the Online Responder Management console.

2. Click on Revocation Configuration, and then Action → Add Revocation Configuration.

3. Enter a name for your configuration.

Add Revocation Configuration Wizard - Name the Revocation Configuration

4. Specify the location of your CA certificate relative to your environment.

Add Revocation Configuration Wizard - Select CA Certificate Location

5. Select the OCSP certificate template created earlier.

Add Revocation Configuration Wizard - Select Signing Certificate

6. To finish, configure the revocation provider. It is the location where the CRLs or Delta CRLs are stored. The configuration automatically retrieves this information in the CDP extension of the certificate.

7. Once you have set up the Revocation Configuration, you should have the status Working as below.

Check OCSP Service

8. You can check if the key of this certificate is really created and stored by the Utimaco CNG provider. To do this, open a PowerShell and enter cngtool listkeys. If there is a key, you can be assured that your Online Responder Service is using the Utimaco CryptoServer HSM correctly.

PS C:\>cngtool listkeys
------------------------------------------------------------------------
Provider : Utimaco CryptoServer Key Storage Provider
Device : 192.168.0.1
Group : win16ocsp
Mode : External Key Storage
------------------------------------------------------------------------
Index AlgId Size Group Name Spec
------------------------------------------------------------------------
1 RSA 2048 win16ocsp tr-OCSPResponseSigning!0028Uti... 0