Windows Server Verify OCSP And Certificates Using PKIVIEW and CERTUTIL VIDEO TUTORIAL

Windows Server Verify OCSP And Certificates Using PKIVIEW and CERTUTIL

 
Windows Server 2016 and previous versions gave the users the option to setup their own Certificate Authority and it also gave a certificate verification role/service. This video shows how to use pkiview.msc and certutil.exe to check if your corporate or LAN's OCSP service is running and all certificates are OK. This video also shows that Windows Server can be used for servers and clients using self-signed certificates without the need to purchase certificates. Yes, purchasing a certificate does make the task easier and less restrictive, but this method is good too!
Previous videos to watch that were mentioned in the video are: https://youtu.be/lWZIHoAwu2c and https://youtu.be/uMtJgN0prME  
Transcript (machine generated so it contains errors)
1. 00:00:00:00 / 00:00:05:09 - hello a very good day to you in this
2. 00:00:02:85 / 00:00:10:16 - video we are basically going to show you
3. 00:00:05:09 / 00:00:15:38 - how to actually verify that your OCSP
4. 00:00:10:16 / 00:00:19:42 - responder is working how your basic
5. 00:00:15:38 / 00:00:27:26 - certificates that you generate within
6. 00:00:19:42 / 00:00:29:12 - your CA system is our valid okay we
7. 00:00:27:26 / 00:00:35:75 - created a couple of videos some time
8. 00:00:29:12 / 00:00:39:10 - back showing how to use your own CA and
9. 00:00:35:75 / 00:00:42:14 - generate self-signed certificates etc
10. 00:00:39:10 / 00:00:46:92 - okay not buying the biggest outside and
11. 00:00:42:14 / 00:00:49:20 - using them internally within your LAN
12. 00:00:46:92 / 00:00:49:98 - environment within your corporate
13. 00:00:49:20 / 00:00:54:84 - environment
14. 00:00:49:97 / 00:00:57:59 - okay let's start off with the very
15. 00:00:54:84 / 00:00:59:87 - basics okay in the description you
16. 00:00:57:60 / 00:01:05:90 - should see links to our previous two
17. 00:00:59:87 / 00:01:09:81 - videos where we created our root CA
18. 00:01:05:90 / 00:01:15:45 - system and then we created certificates
19. 00:01:09:81 / 00:01:19:34 - and we also then bpn so the first thing
20. 00:01:15:45 / 00:01:25:50 - to do is to look at PKI view how do you
21. 00:01:19:34 / 00:01:30:71 - get there very simple PKI view if you
22. 00:01:25:50 / 00:01:33:93 - spell it right you dot MSC and that will
23. 00:01:30:71 / 00:01:36:68 - bring it in and then you know open up
24. 00:01:33:93 / 00:01:39:57 - this and then as you can see all we have
25. 00:01:36:68 / 00:01:43:01 - over here is what we created from before
26. 00:01:39:56 / 00:01:44:90 - and our certificates are okay if you
27. 00:01:43:01 / 00:01:48:84 - want you can look at them they're all
28. 00:01:44:90 / 00:01:51:86 - happy happy though CSV locations working
29. 00:01:48:84 / 00:01:58:17 - fine everything's good I see a
30. 00:01:51:86 / 00:02:02:51 - certificate is good deltas all good what
31. 00:01:58:17 / 00:02:07:85 - you may also wanted to do is go over
32. 00:02:02:51 / 00:02:13:68 - here and then type in MMC run that and
33. 00:02:07:85 / 00:02:20:03 - then add in your certificates okay so as
34. 00:02:13:68 / 00:02:27:68 - so basically certificates and computer
35. 00:02:20:03 / 00:02:32:09 - account next finish okay you will see
36. 00:02:27:68 / 00:02:36:95 - that we do have our VPN certificates
37. 00:02:32:09 / 00:02:39:59 - created okay we can choose any one of
38. 00:02:36:95 / 00:02:42:18 - them the server authentication one for
39. 00:02:39:59 / 00:02:51:14 - example and with us right click on that
40. 00:02:42:18 / 00:02:52:79 - and alters export we'll export it yeah
41. 00:02:51:15 / 00:02:56:54 - we can export with the private key or
42. 00:02:52:79 / 00:02:58:04 - without the private key in this instance
43. 00:02:56:54 / 00:02:59:79 - we'll just do without the private key
44. 00:02:58:04 / 00:03:05:34 - it's very simple straightforward thing
45. 00:02:59:78 / 00:03:11:06 - yeah as a cert and very simply give it
46. 00:03:05:34 / 00:03:16:87 - any name you want we'll give it CER T
47. 00:03:11:06 / 00:03:21:56 - nothing special save it to the desktop
48. 00:03:16:87 / 00:03:25:70 - that's fine click finish export was
49. 00:03:21:56 / 00:03:27:59 - successful what we will do and the
50. 00:03:25:70 / 00:03:32:87 - reason why we send it to the desktop
51. 00:03:27:59 / 00:03:37:76 - first and then we're bringing it to the
52. 00:03:32:87 / 00:03:39:65 - C Drive is just for simplicity rather
53. 00:03:37:76 / 00:03:43:68 - than you having to type in a lot in
54. 00:03:39:65 / 00:03:47:45 - PowerShell okay so let's just go to
55. 00:03:43:68 / 00:03:49:73 - partial and all I have to do in this
56. 00:03:47:45 / 00:03:54:59 - case is backslash it brings me into the
57. 00:03:49:73 / 00:04:01:13 - C Drive I can see the search okay now
58. 00:03:54:59 / 00:04:06:06 - you are using cert you too - URL and
59. 00:04:01:13 / 00:04:15:41 - then the file name which is cert dot C
60. 00:04:06:06 / 00:04:18:22 - er and as you can see it's a verified
61. 00:04:15:41 / 00:04:18:22 - certificate
62. 00:04:23:18 / 00:04:39:42 - clarified under OCSP CR ELLs also
63. 00:04:31:92 / 00:04:47:77 - verified so as you can see a self-signed
64. 00:04:39:42 / 00:04:50:35 - CA system can run happily on Windows
65. 00:04:47:76 / 00:04:54:06 - server within your internal LAN
66. 00:04:50:35 / 00:04:57:34 - even your external LAN the only few
67. 00:04:54:06 / 00:04:59:37 - restrictions that was actually not
68. 00:04:57:33 / 00:05:03:25 - restrictions just a little bit of extra
69. 00:04:59:37 / 00:05:07:26 - steps is that your root certificate ok
70. 00:05:03:25 / 00:05:12:33 - that you create when you set it up needs
71. 00:05:07:26 / 00:05:16:24 - to be installed on that client computers
72. 00:05:12:33 / 00:05:19:11 - the computer is outside of your internal
73. 00:05:16:24 / 00:05:21:56 - LAN well even if they're inside your LAN
74. 00:05:19:12 / 00:05:24:37 - it still needs to be installed on them
75. 00:05:21:56 / 00:05:31:46 - another issue that needs to be
76. 00:05:24:37 / 00:05:35:31 - considered is basically that those
77. 00:05:31:47 / 00:05:41:67 - client computers that are trying to
78. 00:05:35:31 / 00:05:46:95 - login to your corporate environment
79. 00:05:41:67 / 00:05:50:94 - either you have a public shall we say
80. 00:05:46:95 / 00:05:55:65 - address where DNS azar resolvable if
81. 00:05:50:94 / 00:06:00:31 - it's all behind a firewall all internal
82. 00:05:55:66 / 00:06:03:70 - and you have opened up on your firewall
83. 00:06:00:31 / 00:06:07:87 - a certain route in what you will need to
84. 00:06:03:69 / 00:06:12:45 - do is ensure that those client computers
85. 00:06:07:87 / 00:06:18:87 - their dns is able to actually resolve
86. 00:06:12:45 / 00:06:22:01 - this servers address now when we set it
87. 00:06:18:87 / 00:06:27:06 - up we set up with all internal addresses
88. 00:06:22:01 / 00:06:31:26 - 192.168 so you would need to either in
89. 00:06:27:06 / 00:06:33:56 - the host file or something give a route
90. 00:06:31:26 / 00:06:40:08 - back to the
91. 00:06:33:56 / 00:06:43:33 - server that's the way that certificates
92. 00:06:40:08 / 00:06:45:66 - are verified and your entire system of
93. 00:06:43:32 / 00:06:48:93 - work has it's only an extra couple of
94. 00:06:45:66 / 00:06:50:56 - steps however it's quite simple and once
95. 00:06:48:93 / 00:06:54:27 - you've done this you've actually got an
96. 00:06:50:56 / 00:06:56:75 - entire CA system running where you can
97. 00:06:54:27 / 00:07:02:37 - create your own certificates for
98. 00:06:56:75 / 00:07:06:52 - software for your web servers for your
99. 00:07:02:37 / 00:07:10:38 - VPN etc etc for your users clients all
100. 00:07:06:51 / 00:07:14:31 - that so hopefully this video has helped
101. 00:07:10:38 / 00:07:14:31 - and thank you for watching
Visit our YouTube channel: https://www.youtube.com/channel/UCFj1BHYIUYfPWPb1Xn5qFIg