1. Click NO to enable X.509 Certificate, that will show additional options and switch to YES
2. Click Select to upload the Root and Intermediate CA Certificates
3. Enter C:\AW Tools for the path and press ENTER.
4. Click on the combo box and select All Files
5. Select root-corplocal.pem
6. Click Open

Make sure to read the ToolTip in each of the following 9 steps, just pass the mouse over the INFO icon to obtain the ToolTip.

Unified Access Gateway can perform certificate revocation check in two ways, through CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol), and below you will configure to use OCSP and in case it fails, it will use the CRL.

1. Click Yes to Enable Cert Revocation
2. Select Use CRL from Certificate
3. Enter http://controlcenter.corp.local/CertEnroll/corp-CONTROLCENTER-CA.crl for CRL Location
4. Select Enable OCSP Revocation
5. Click Yes for Use CRL in case of OCSP Failure
6. Enter http://controlcenter.corp.local/ocsp for OCSP URL
7. Select Use OCSP URL from certificate
8. Click Save

1. Enter HTTP/[email protected] for Principal Name
2. Click on Select
3. Click on Local Disk (C:) folder
4. Select it.keytab file
5. Click Open
6. Click Save

After hit Save, you should receive a message "Keytab upload is successful".

NOTE: The first Principal Name found on the Keytab file will be used when not provided, if your Keytab contain multiple Principal Names it's recommend that you inform the Principal Name to be used.

Click Add.

1. Enter CORP.LOCAL for Name of the realm
   NOTE - This entry MUST BE IN CAPITAL.  It is advised to copy the value directly or drag and drop it from the VLP Manual for accuracy.
2. Enter corp.local for Key Distribution Centers
3. Enter 3 for KCD Timeout (in seconds)
4. Click Save

After hit Save, you should receive a message "Configuration saved successful".

Realm settings is done.

Click Close.

The OCSP Signing Certificate is available on the Online Responder Management Console and can be export from their, also when the IT administrator installed the Online Responder Management Console from Windows Add/Features and configure, he was requested to create the OCSP Signing Certificate on the CA, so in real world you have here two options to obtain the signing certificate.

For your reference, see below the Online Responder Management Console, which contain the CONTROLCENTER Revocation Configuration and the respective Signing Certificate that you can view and export if needed.

For this exercise the certificate is already available under C:\AW Tools, named ocsp.crt, you won't need to export.

1. Click Add.

1. If the Edge Service Settings are currently hidden, click the Show toggle to display the settings
2. Select the Gear icon for Reverse Proxy Settings

Select the Gear icon for the ITBUDGET Reverse Proxy Instance.

1. Click NO to show the Enable Identity Bridging, it will switch to YES after you click
2. Select CERTIFICATE for Authentication Types
3. Select HTTP/[email protected] for Keytab
4. Enter HTTP/[email protected] for Target Service Principal Name
5. Click Save

Confirm the Configuration is saved successfully message is displayed.