Building the PKI for the Workplace Join Lab with an OCSP Responder

Last month I have been busy building the lab environment to demonstrate Workplace Join with Windows 8.1 and Windows Server 2012 R2. Microsoft created an excellent walkthrough to build the lab environment starting with AD FS. While working my way through the demo I noticed that Workplace Join is very picky when retrieving the certificate revocation list for the certificate used for the AD FS service. The lab set up refers to Configure SSL/TLS on a Web site in the domain with an Enterprise CA to set up the Public Key Infrastructure. But this reference does not contain the steps to set up a working PKI. Here is my fix for this omission.

This time I setup the PKI with an OCSP Responder. The previous setup with an published CRL, expires the CRL every few days. This requires a manual action to republish the CRL. With the OCSP Responder server this is no longer the case.

Disclaimer: The following steps are for setting up PKI for a DEMO ENVIRONMENT. It is NOT meant as a solution for building a production PKI.

You can use the Domain Controller in the lab environment as the Certificate Authority or set up a separate server that is joined in the domain. In my case I used the Domain Controller to setup the CA.

Step 1: Configure the Domain Controller

I used the following PowerShell commands to setup the Domain Controller for

Install-WindowsFeature AD-Domain-Services –IncludeManagementTools

Install-ADDSForest -DomainName “” -ForestMode 5 -DomainMode 5 -DomainNetbiosName “nextxpert”

Step 2: Configure the Certificate Authority with Active Directory Certificate Services

Install Active Directory Certificate Services and the Online Responder

I used the following PowerShell commands to install AD CS:

Install-WindowsFeature ADCS-Cert-Authority,ADCS-Online-Cert –IncludeManagementTools

Configure the Certificate Authority

I used the following PowerShell commands to set up the Enterprise Root CA:

Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CACommonName HyperxpertRootCA -CryptoProviderName “RSA#Microsoft Software Key Storage Provider” -KeyLength 2048 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 5

Configure the CRL Distribution Point on the CA

Start the Certificate Authority MMC

Right click the CA name and select Properties

In the CA Properties dialog select the Extensions tab

On the Extensions tab select Authority Information Access (AIA), and then click Add.

In the Add Location dialog, type the following location: http://<ServerDNSName>/ocsp and click OK.

In the Extensions tab, enable the following option:

  • Include in the online certificate status protocol (OCSP) extension

Click OK, and restart the service when prompted.

Enable the OCSP Signing certificate template on the CA

Start the Certificate Authority MMC

Right click the Certificate Templates and select New | Certificate Template to Issue

Select OCSP Response Signing, and click OK

Publish the Revocation List

In the Certificate Authority MMC right click Revoked Certificates

Select All Tasks | Publish

In the Publish CRL dialog, select New CRL and click OK

Step 3: Configure the Certificate Template ACLs

The Enterprise CA can only enroll certificates from templates when the template ACLs are properly configured. The following procedure shows how to enable Domain Computers to enroll WebServer certificates. If you are running ADFS on a Domain Controller, make sure you also allow the group Domain Controllers to enroll certificates from the template.

Start Active Directory Sites and Services

Browse to Services\Public Key Services\Certificate Templates

Right click the WebServer certificate template and select Properties

On the Security tab add the group Domain Computers and allow Read and Enroll

If AD FS is running on a Domain Controller, also add the group Domain Controllers and allow Read and Enroll

Right click the OCSPResponseSigning certificate template and select Properties

On the Security tab add the group Domain Computers and allow Read and Enroll, and the group Domain Controllers and allow Read and Enroll.

Step 4: Configure the Online Responder

Under Tasks, select Configure Active Directory Certificate Services on th…

In the AD CS Configuration dialog, credentials screen specify the credentials for a member of the Enterprise Admins group and click Next.

In the Role Services screen, enable Online Responder, click Next and then click Configure.

Click Close when the Online Responder is successfully configured.

Open Online Responder Management

Right click, Revocation Configuration and then click Add Revocation Configuration

In the Add Revocation Configuration wizard, click Next in the getting started page.

Enter a name for the Revocation Configuration and click Next.

Select, Select a certificate for an Existing enterprise CA, and click Next

Select, Browse CA certificates published in Active Directory, and click Browse…

In the Select Certification Authority dialog, select the Enterprise Root CA, and click OK, then click Next

In the Select Signing Certificate page, select Automatically select a signing certificate, enable Auto-Enroll for an OCSP signing certificate, and then click Next

Click Finish to end the wizard

Now restart the server running the OCSP Responder

Step 5: Enroll the Web Server Certificate on a Domain Member Server

Use the following procedure to enroll the WebServer certificate on a Domain Member Server

Start certlm.msc

Browse to Certificates\Personal\Certificates

Right click Certificates and select All Tasks | Request New Certificate…

In the Certificate Enrollment wizard, click Next twice

In the Request Certificates dialog, select Web Server, expand the Details and click Properties

In the Certificate Properties, configure the subject name and Alternative names (when applicable) and click OK

Now click Enroll

Click Finish

Step 6: Test if the OCSP Responder is functional

On the server with the enrolled certificate, export the newly enrolled Web Server certificate to a file.

On the Command Prompt, use CertUtil.exe to check OCSP operation. Use the following command to do the test:

CertUtil –URL <certificate.crt>

In the URL Retrieval Tool, select OCSP (from AIA), and click Retrieve

Check if the status for the OCSP is “Verified“.

If all is fine, you can now continue building the Workplace Join lab environment with a working PKI

This entry was posted in PKI, Windows 8.1, Windows Server 2012 R2 and tagged , . Bookmark the permalink.

2 Responses to Building the PKI for the Workplace Join Lab with an OCSP Responder

  1. Pingback: Publishing Work Folders with Web Application Proxy | Welcome to

  2. Great article! We are linking to this particularly great
    content on our website. Keep up the good writing.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s