You need to ensure that revoked certificate informationis highly available

Your company has an Active Directory domain.
All servers run Windows Server 2008 R2.
Your company uses an Enterprise Root certificate authority (CA).
You need to ensure that revoked certificate informationis highly available.
What should you do?

Your company has an Active Directory domain.
All servers run Windows Server 2008 R2.
Your company uses an Enterprise Root certificate authority (CA).
You need to ensure that revoked certificate informationis highly available.
What should you do?

A.
Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and
Acceleration Server array.

B.
Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO).

C.
Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.

D.
Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO tothe
domain.

Explanation:
Answer.Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.
http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspx
AD CS: Online Certificate Status Protocol Support
Certificate revocationis a necessary part of the process of managing certificates issued by certification
authorities (CAs). The most common means of communicating certificate status is by distributing certificate
revocation lists (CRLs). In the Windows Server® 2008 operating system, public key infrastructures (PKIs)
where the use of conventional CRLs is not an optimal solution, an Online Responder based on the
Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status
information.
What does OCSP support do?
The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two
common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed
periodically and contain information about all certificates that have been revoked or suspended, an Online
Responder receives and responds only to requests from clients for information about the status of a single
certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates
there might be.
In many circumstances,Online Responders can process certificate status requests more efficiently than
by using CRLs.
..
Adding one or more Online Responders can significantly enhance the flexibility and scalability of an
organization’s PKI.
..
Further information:
http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v-high-availability.
aspx
Implementing an OCSP Responder: Part V High Availability
There are two major pieces in implementing the High Availability Configuration. The first stepis to add the
OCSP Respondersto what is called an Array. When OCSP Responders are configured in an Array, the
configuration of the OCSP responders can be easily maintained, so that all Responders in the Array have the
same configuration. The configuration of the Array Controller is used as the baseline configuration that is then
applied to other members of the Array.
The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders is
what actually provides fault tolerance.



Leave a Reply 0

Your email address will not be published. Required fields are marked *