none
Unable to setup OCSP Configuration after Issuing CA certificate renewal

    Question

  • I have just completed the 2 year renewal of our Issuing CA and I went to add the new Revocation Configuration to the OCSP server however I get the following error message when selecting the CA certificate from the AD.

    The error I get is "The CA certificate could not be retrieved. Element not found. (Exception from HRESULT: 0x80070490)"

    This server is an OCSP end point for two issuing CA's and the first server configuration was setup fine. The two main differences between the two issues CA's is that:

    1. Issuing CA is configured as a SAN issuing CA.

    2. The server has a 60 character name. Which I believe should not be a problem as it is less than the 64 char limit... but it is close.

    Any ideas were to start troubleshooting setting up the new OCSP configuration for the renewed Issuing CA servers..

    Thanks

    Alan Burchill


    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Sunday, August 18, 2013 11:00 PM

Answers

All replies

  • More info... So I cracked open ADSI Edit and looked under Configuration > Services > Public Key Services > Enrolment Services and I have noticed that the Distinguished Name seems to be truncated with the number -06325 and the end of the CN. This means that the DN does not match the actual DN of the issuing CA. Perhaps this is due to the name of the CA being 60 characters long which is very close to the 64 char limit...


    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Sunday, August 18, 2013 11:33 PM
  • Hi,

    Thank you for your question.  

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. 

    Thank you for your understanding and support.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Cataleya Li
    TechNet Community Support

    Tuesday, August 20, 2013 5:42 AM
  • Alan, do you have spaces in your name? Remember that a space is three characters (%20). I know from previous experience that 60 characters is too close and the product uses the truncated name.

    That being said, if it worked prior to renewal, it should work after renewal

    Brian

    Tuesday, August 20, 2013 6:17 AM
  • Yes, It doe have spaces in the name and if you count the %20 in the name it pushes it far over the 64 char limit. Perhaps the additional "(1)" was enough to push it over the limit... where before it was under. Any way to continue troubleshooting this issue?

    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Tuesday, August 20, 2013 9:52 AM
  • Hi Alan,

    According to the errors, it seems the renewal CA's cert cannot be reched, so please verify if the renewal CA's cert has been publihsed to AIA path.


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, August 20, 2013 12:12 PM
  • HI,

    Please let me know if there is any update on this issue. look forward to your reply.


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Saturday, August 31, 2013 3:22 AM
  • I have logged a job with Microsoft about this (finally) and they have confirmed its a bug with Windows 2008 R2 OCSP Server when the Common Name of the issuing certificate server is greater than 51 characters. Apparently the problem is with the way it Sanitizes the Common Name of the CA as stored in AD http://msdn.microsoft.com/en-us/library/cc249826.aspx .... So keep your CA names before 51 characters. No word on when/if a hotfix will be released for this issue.


    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Friday, February 14, 2014 2:23 AM
  • On Fri, 14 Feb 2014 02:23:47 +0000, Alan Burchill [MVP] wrote:

    I have logged a job with Microsoft about this (finally) and they have confirmed its a bug with Windows 2008 R2 OCSP Server when the Common Name of the issuing certificate server is greater than 51 characters. Apparently the problem is with the way it Sanitizes the Common Name of the CA as stored in AD http://msdn.microsoft.com/en-us/library/cc249826.aspx .... So keep your CA names before 51 characters. No word on when/if a hotfix will be released for this issue.

    There won't be a hotfix for this as this is by design. It has to do with
    being compliant with the relative RFCs and they way that Active Directory
    deals with common names.


    Paul Adare - FIM CM MVP
    "Now that I think of it, O'Reilly is to a system administrator as a
    shoulder
    length latex glove is to a veterinarian." -- Peter da Silva

    Friday, February 14, 2014 2:00 PM
  • So why cant the OCSP server be patched to be able to recognise the truncated Common Name in AD?

    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Saturday, February 15, 2014 2:02 AM
  • On Sat, 15 Feb 2014 02:02:07 +0000, Alan Burchill [MVP] wrote:

    So why cant the OCSP server be patched to be able to recognise the truncated Common Name in AD?

    For one thing the name that gets registered in AD is not just truncated, it
    also gets a hash appended to it. And it isn't simply OCSP that needs to be
    able to retrieve that name, there are tons of other applications, services,
    and appliances that rely on being able to access that name.

    "Patching" all of those is simply not realistic and would also make them
    non-compliant with the relevant RFCs. The solution, as you've discovered is
    to make sure that the name of the CA does not violate that AD naming
    conventions when it comes to the length of the name.


    Paul Adare - FIM CM MVP
    A mathematician is a machine for converting coffee into theorems.
    -- Paul Erdos

    Saturday, February 15, 2014 2:12 AM
  • Microsoft has now released a hotfix to address this issue http://support.microsoft.com/kb/2950080/en-us

    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Wednesday, May 14, 2014 2:56 AM