Today I’m starting a series of blog posts where I will explore new features we have added to PowerShell PKI module, version 3.7. First post is dedicated to Online Responders.

The biggest part of this release is Microsoft OCSP Server, or Online Responder management feature. In this post, I will show general Online Responder server management features using PowerShell and PSPKI module.

Getting started

All kind of Online Responder management is started with connecting to OCSP server using Connect-OnlineResponder command which accepts only one parameter – OCSP host name. If the command is executed locally on Online Responder, this parameter is not required:

PS C:\> $ocsp = Connect-OnlineResponder -ComputerName hq-s-adcsws2
PS C:\> $ocsp

ComputerName              IsRunning    ArrayMembers
------------              ---------    ------------
hq-s-adcsws2.sysadmins.lv True         {hq-s-adcsws1.sysadmins.lv, hq-s...


PS C:\>

Unfortunately, there is no Online Responder autodiscovery functionality (like we have in Enterprise CAs), so you must know the address of at least one Online Responder. However, we can discover other online responders implicitly through array member list.

Managing server properties

Microsoft designed OCSP server oriented to high-availability and scalability and added an Online Responder Array term, which is a pool of OCSP servers that automatically share and replicate revocation configurations within array. At any time, one Online Responder holds the Array Controller role that contains master configuration and replicates it to all array members.

Any revocation configuration setting is replicated and must be set on array controller. Other array members will automatically fetch new settings. If you make such changes on array member which is not array controller, these changes will be overridden from array controller. Server-specific settings described in this blog post *are not* replicated to array members and must be configured individually on each online responder.

We can explore properties of this particular OCSP server:

PS C:\> $ocsp | fl *                                                                                                    

ComputerName           : hq-s-adcsws2.sysadmins.lv
IsRunning              : True
IsArrayController      : False
ArrayController        : SysadminsLV.PKI.Management.CertificateServices.OcspResponder
ArrayMembers           : {hq-s-adcsws1.sysadmins.lv, hq-s-adcsws2.sysadmins.lv, hq-s-pkix.sysadmins.lv, pkix.sysadmins.
                         lv}
MaxNumOfRequestEntries : 1
MaxNumOfCacheEntries   : 5000
NumOfThreads           : 50
MaxRequestSize         : 0
RequestFlags           : None
AuditFilter            : RequestReceive
LogLevel               : Minimal
TraceDebugEnabled      : False



PS C:\>

We see several properties, such as service status, whether the connected server is array controller, array controller information, array members and some server-specific settings. These properties are not replicated between array members and must be configured on each server separately. In a given example, we see that connected server is not array controller. We can get access to array controller via corresponding property:

PS C:\> $ocsp.ArrayController

ComputerName              IsRunning    ArrayMembers
------------              ---------    ------------
hq-s-adcsws1.sysadmins.lv True         {hq-s-adcsws1.sysadmins.lv, hq-s...


PS C:\> $ocsp.ArrayController | fl *


ComputerName           : hq-s-adcsws1.sysadmins.lv
IsRunning              : True
IsArrayController      : True
ArrayController        : SysadminsLV.PKI.Management.CertificateServices.OcspResponder
ArrayMembers           : {hq-s-adcsws1.sysadmins.lv, hq-s-adcsws2.sysadmins.lv, hq-s-pkix.sysadmins.lv, pkix.sysadmins.
                         lv}
MaxNumOfRequestEntries : 1
MaxNumOfCacheEntries   : 5000
NumOfThreads           : 50
MaxRequestSize         : 0
RequestFlags           : None
AuditFilter            : RequestReceive
LogLevel               : Minimal
TraceDebugEnabled      : False



PS C:\>

Property description is provided in API documentation page for OcspResponder class. All properties below ArrayMembers property are writable. We can assign new values either by writing to properties directly, or use Set-OnlineResponderProperty command which specifies what properties we can set. For example, we can allow 5 OCSP request entries in a single OCSP request and limit request size to 2kb to avoid service abuse:

PS C:\> $ocsp | Set-OnlineResponderProperty -MaxRequestEntryCount 5 -MaxRequestSize 2kb | fl *


ComputerName           : hq-s-adcsws2.sysadmins.lv
IsRunning              : True
IsArrayController      : False
ArrayController        : SysadminsLV.PKI.Management.CertificateServices.OcspResponder
ArrayMembers           : {hq-s-adcsws1.sysadmins.lv, hq-s-adcsws2.sysadmins.lv, hq-s-pkix.sysadmins.lv, pkix.sysadmins.
                         lv}
MaxNumOfRequestEntries : 5
MaxNumOfCacheEntries   : 5000
NumOfThreads           : 50
MaxRequestSize         : 2048
RequestFlags           : None
AuditFilter            : RequestReceive
LogLevel               : Minimal
TraceDebugEnabled      : False



PS C:\>

Using ArrayMembers property, we can get the list of all array members:

PS C:\> $ocsp.ArrayMembers

ComputerName              IsRunning
------------              ---------
hq-s-adcsws1.sysadmins.lv      True
hq-s-adcsws2.sysadmins.lv      True
hq-s-pkix.sysadmins.lv        False
pkix.sysadmins.lv             False


PS C:\>

We see all computer names and service status. In a given case, two array members are offline. We can connect to any online responder using this list.

Adding new array member

We can add existing online responder to online responder array as member using Add-OnlineResponderArrayMember command. Both, existing array controller and new array member must be up and running.

When we add new array member, it is removed from existing array, demoted from array controller role (if necessary) and adds as member in destination array. Add-OnlineResponderArrayMember must be executed against destination array’s controller. All revocation configurations from array controller are replicated to new array member.

For demonstration purposes, I’ve removed “hq-s-adcsws2” server from array to its own array without any revocation configuration:

PS C:\> $NewMember = Connect-OnlineResponder hq-s-adcsws2
PS C:\> $NewMember

ComputerName              IsRunning    ArrayMembers
------------              ---------    ------------
hq-s-adcsws2.sysadmins.lv True         {hq-s-adcsws2.sysadmins.lv}


PS C:\> Connect-OnlineResponder hq-s-adcsws1 | Add-OnlineResponderArrayMember -ArrayMember $NewMember

ComputerName              IsRunning    ArrayMembers
------------              ---------    ------------
hq-s-adcsws1.sysadmins.lv True         {hq-s-adcsws1.sysadmins.lv, hq-s...


PS C:\> $NewMember | fl *


ComputerName           : hq-s-adcsws2.sysadmins.lv
IsRunning              : True
IsArrayController      : False
ArrayController        : SysadminsLV.PKI.Management.CertificateServices.OcspResponder
ArrayMembers           : {hq-s-adcsws1.sysadmins.lv, hq-s-pkix.sysadmins.lv, pkix.sysadmins.lv, hq-s-adcsws2.sysadmins.
                         lv}
MaxNumOfRequestEntries : 5
MaxNumOfCacheEntries   : 5000
NumOfThreads           : 50
MaxRequestSize         : 2048
RequestFlags           : None
AuditFilter            : RequestReceive
LogLevel               : Minimal
TraceDebugEnabled      : False



PS C:\>

In the first line, I’ve connected to new member in different array. We can see that server is the only member of array. In next line, I’m connecting to destination array’s controller and call Add-OnlineResponderArrayMember command and specify new member as parameter. After command execution we check new array member for changes – they are in place, it is now a part of new array and has replicated revocation configurations from array controller.

Removing array members

Similar technique we can remove array members from online responder array using Remove-OnlineResponderArrayMember command. We may want to do this in two cases:

  1. Remove discontinued and/or decommissioned online responders
  2. Split existing array into multiple separate arrays

Remove-OnlineResponderArrayMember command can remove only array members, not array controller.

We do extra work when existing array member is removed and it is up and running:

  • it is designated in its own array
  • promoted to array controller
  • all revocation configurations are deleted

Array member to be removed is not required to be online and up. If it is dead, we just remove its reference from existing array.

PS C:\> Connect-OnlineResponder hq-s-adcsws1 | Remove-OnlineResponderArrayMember -ComputerName "hq-s-adcsws2.sysadmins.lv"

ComputerName              IsRunning    ArrayMembers
------------              ---------    ------------
hq-s-adcsws1.sysadmins.lv True         {hq-s-adcsws1.sysadmins.lv, hq-s...


PS C:\> (Connect-OnlineResponder hq-s-adcsws1).ArrayMembers                                                             
ComputerName              IsRunning
------------              ---------
hq-s-adcsws1.sysadmins.lv      True
hq-s-pkix.sysadmins.lv        False
pkix.sysadmins.lv             False


PS C:\> (Connect-OnlineResponder hq-s-adcsws2).ArrayMembers

ComputerName              IsRunning
------------              ---------
hq-s-adcsws2.sysadmins.lv      True


PS C:\>

as you see, we removed “hq-s-adcsws2” from array where “hq-s-adcsws1” is array controller. By the end of command execution we’ve got two online responder arrays: “hq-s-adcsws1” and “hq-s-adcsws2” as array controllers.

Designating array controller role

And the last piece for today – promoting array member to array controller. The rules are simple: existing array controller is demoted from its role and new array controller is promoted. We try to contact every online responder in array to update this information. Let’s say, we start from initial setup:

PS C:\> (Connect-OnlineResponder hq-s-adcsws1).ArrayController.ComputerName
hq-s-adcsws1.sysadmins.lv
PS C:\> (Connect-OnlineResponder hq-s-adcsws2).ArrayController.ComputerName
hq-s-adcsws1.sysadmins.lv
PS C:\>

we have two running online responders in same array and “hq-s-adcsws1” as array controller. We have plans to decommission this server and promote “hq-s-adcsws2” as array controller. This is done by using Set-OnlineResponderProperty command:

PS C:\> Connect-OnlineResponder hq-s-adcsws2 | Set-OnlineResponderProperty -MakeArrayController

ComputerName              IsRunning    ArrayMembers
------------              ---------    ------------
hq-s-adcsws2.sysadmins.lv True         {hq-s-adcsws1.sysadmins.lv, hq-s...


PS C:\> (Connect-OnlineResponder hq-s-adcsws1).ArrayController.ComputerName
hq-s-adcsws2.sysadmins.lv
PS C:\> (Connect-OnlineResponder hq-s-adcsws2).ArrayController.ComputerName
hq-s-adcsws2.sysadmins.lv
PS C:\>

We connect to array member being promoted, call Set-OnlineResponderProperty with –MakeArrayController switch and we now have new array controller.

In next blog post, I will show how we can manage online responder revocation configurations.

Stay tuned!

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.