Your network contains a server named Server1 that runs Windows Server 2012 R2. Server1
has the Active Directory Certificate Services server role installed and is configured as a
standalone certification authority (CA).
You install a second server named Server2. You install the Online Responder role service
on Server2.
You need to ensure that Server1 can issue an Online Certificate Status Protocol (OCSP)
Response Signing certificate to Server2.
What should you run on Server1?
A.
The certreq.exe command and specify the -policy parameter
B.
The certutil.exe command and specify the -getkey parameter
C.
The certutil.exe command and specify the -setreg parameter
D.
The certreq.exe command and specify the -retrieve parameter
Command states that Certificate should use same Registry Settings as the CA.
0
0
Answer = C
http://technet.microsoft.com/en-us/library/cc770413%28v=ws.10%29.aspx
http://blogs.technet.com/b/askds/archive/2009/06/30/implementing-an-ocsp-responder-part-iv-configuring-ocsp-for-use-with-standalone-cas.aspx
0
0
http://blogs.technet.com/b/askds/archive/2009/06/25/implementing-an-ocsp-responder-part-ii-preparing-certificate-authorities.aspx
Look at section called “Preparing Windows Server 2003 Standalone CA for use with OCSP Responder”.
0
1
All of the articles on OCSP seems to reference certutil -setreg a number of times so I agree with C
0
1
https://technet.microsoft.com/en-us/library/cc732526.aspx
0
0
same question but options are different
A. The certutil.exe command and specify the -setreg parameter
B. The certreq.exe command and specify the -policy parameter
C. configure security for OCSP signing certificate template
D. Configure Issuance Requirements for OCSP signing certificate template
I don’t know which one is correct answer in these options.. either A or C
0
0
https://technet.microsoft.com/en-us/library/cc770413%28v=ws.10%29.aspx
0
0
Have anyone else had the same answer combinations that Aahna had? This is the new variation of this question and in IMO the correct answer here is “C. Configure security for OSCP signing certificate template”.
I have read the technet articles and this is very confusing. It mentions the need of using the cmd certutil with the -setreg parameter for those cases in which you are using a 2003 CA server, which is not the case in any of the questions that I have come across.
Could anybody take a look at this please?
1
0
Should be “certutil.exe -setreg” if question mentions stand alone CA.
If an enterprise CA is used, no additional configuration is required except for enabling the CA to issue certificates based on the OCSP Response Signing template. If a stand-alone CA is used, the following commands should be used to enable or disable the EDITF_ENABLEOCSPREVNOCHECK flag on the CA.
To enable the flag, run the following command:
certutil -v -setreg policy\editflags +EDITF_ENABLEOCSPREVNOCHECK
To disable the flag, run the following command:
certutil –v –setreg policy\editflags –EDITF_ENABLEOCSPREVNOCHECK
After enabling or disabling the flag, the CA should be restarted for the changes to take effect.
0
0
This is a total bogus question. Certreq does NOT have a systax of -setreg only Certutil does. Rediculous question. So the answers listed are all wrong
0
0
Umm.. the Answer says Certutil -setreg…
are your eyes ok?
0
0
Since we’re talking about a stand-alone CA in the question, correct answer is C. Even for Aahna’s question with different options, the answer is the same “The certutil.exe command and specify the -setreg parameter” since it’s about a stand-alone CA, if we were talking about a Enterprise CA then the answer would be “configure security for OCSP signing certificate template” in Aahna’s options.
Reference:
https://technet.microsoft.com/en-us/library/cc770413(v=ws.10).aspx
Configuring the OCSP Response Signing certificate template
Starting in Windows Server 2008, a new certificate template is added to the available templates in Active Directory Domain Services (AD DS). The new template, named OCSP Response Signing, is a version 3 template preconfigured with the required extensions and attributes listed previously. No modifications are required to the template or to the CA.
Figure 13 illustrates the flow that determines the behavior of the policy module in Windows Server 2008 when processing a request for the OCSP Response Signing certificate.
Figure 13: OCSP Response Signing Certificate Request Processing
The EDITF_ENABLEOCSPREVNOCHECK flag is a new CA registry flag introduced in the Windows Server 2008–based CA. The new flag, which is not enabled by default, allows the CA policy module to issue certificates that include the id-pkix-ocsp-nocheck extension. The new OCSP Response Signing template includes an additional flag as well, named CT_FLAG_ADDREVNOCHECK, which instructs the policy module to add the id-pkix-ocsp-nocheck extension. If either the EDITF_ENABLEOCSPREVNOCHECK flag is enabled or the template includes the CT_FLAG_ADDREVNOCHECK flag, the policy module will search for an OCSP Signing EKU in the request and in the template. If both conditions are met, the policy module will add the id-pkix-ocsp-nocheck extension and will remove the authority information access and CRL distribution point extensions from the certificate. This flow allows the Windows Server 2008–based CA to issue an OCSP Response Signing certificate from an enterprise CA as well as from a stand-alone CA.
If an enterprise CA is used, no additional configuration is required except for enabling the CA to issue certificates based on the OCSP Response Signing template. If a stand-alone CA is used, the following commands should be used to enable or disable the EDITF_ENABLEOCSPREVNOCHECK flag on the CA.
To enable the flag, run the following command:
certutil -v -setreg policy\editflags +EDITF_ENABLEOCSPREVNOCHECK
To disable the flag, run the following command:
certutil –v –setreg policy\editflags –EDITF_ENABLEOCSPREVNOCHECK
After enabling or disabling the flag, the CA should be restarted for the changes to take effect.
1
0