What should you run on Server1?

Yournetwork contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the
Active Directory Certificate Services server role installed and is configured as a standalone
certification authority (CA).
You install a second server named Server2. You install the Online Responder role service on Server2.
You need to ensure that Server1 can issue an Online Certificate Status Protocol (OCSP) Response
Signing certificate to Server2.
What should you run on Server1?

Yournetwork contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the
Active Directory Certificate Services server role installed and is configured as a standalone
certification authority (CA).
You install a second server named Server2. You install the Online Responder role service on Server2.
You need to ensure that Server1 can issue an Online Certificate Status Protocol (OCSP) Response
Signing certificate to Server2.
What should you run on Server1?

A.
The certreq.exe command and specify the -policy parameter

B.
The certutil.exe command and specify the -getkey parameter

C.
The certutil.exe command and specify the -setreg parameter

D.
The certreq.exe command and specify the -retrieve parameter

Explanation:
To prepare a computer running Windows Server to issue OCSP Response Signing certificates
1. On the server hosting the CA, open a command prompt, and type:
2. certutil -v -setreg policy\EnableRequestExtensionList +1.3.6.1.5.5.7.48.1.5
3. Stop and restart the CA. You can do this at a command prompt by running the following
commands:
4. net stop certsvc
net start certsvc Configure a CA to Support OCSP Responders
https://technet.microsoft.com/en-us/library/cc732526.aspx

Show Hint

Leave a Reply 7

Your email address will not be published. Required fields are marked *

5 + seventeen =

alexander

alexander

correct answer is A

Reply

your mama and your papa

your mama and your papa

ar u okay?

Reply

Banes

Banes

Given answer is correct and the explanation and quoted TechNet article proves the answer.

Reply

alexander

alexander

TechNet article says
“To prepare a computer running Windows Server 2003 to issue OCSP Response Signing certificates”
Our server is 2012 R2.
So command in given answer is pointless.

I think that you need to use certreq.exe command and specify the -policy (-policy – sets the policy for a request).
You need to make request with policy to OCSP Sign cert, and if you get response, then your CA can issue them.

Reply

Chris

Chris

Answer: C

When an application calls CryptoAPI 2.0 to verify a certificate that specifies locations to Online Responders, the revocation infrastructure performs the following basic steps (for each Online Responder specified in the authority information access extension):
Search the local CryptoAPI 2.0 in-memory and disk caches to find a cached OCSP response that has a valid time. The disk cache is located at: :\Users\\AppData\LocalLow\Microsoft\CryptnetUrlCache.

To set a registry value to the current date and time:

certutil –setreg chain\ChainCacheResyncFiletime @now

To set a registry value to the current date and time plus 3 days and 1 hour:

certutil –setreg chain\ChainCacheResyncFiletime @now+3:1

To display a registry value:

certutil –getreg chain\ChainCacheResyncFiletime

To delete a registry value:

certutil –delreg chain\ChainCacheResyncFiletime

https://technet.microsoft.com/en-us/library/cc770413(v=ws.10).aspx

Reply

Chris

Chris

Additional Note: This reg key is not auto created when you setup an Online responder.

Reply