none
Pkiview shows "unable to download" for OCSP in AIA location

    Question

  • I have configured an OCSP responder for my CA in the AIA extensions, with both the "include in AIA extension" and "include in OCSP extension" options checked.

    If I verify a certificate issued by the CA with

    certutil -url <certfile>

    and then I select "OCSP (from AIA)" and click on "Retrieve", everything looks ok, and the status is verified.

    However, if I open the Pkiview console, I see the OCSP AIA location with status "Unable to download".

    What does this mean, and how could I fix it?

    Thanks,
    Paolo


    Paolo Tedesco - http://cern.ch/idm

    Tuesday, August 27, 2013 11:53 AM

Answers

  • What is your OCSP URL? http://pki.domain.com/ocsp

    You should not use "include in ARA extension .." because this is reserved to specifiy the URL for the CA certificate.

    Note, if you make changes to the extensions pkiview.msc will not pick them up right away, it is reading those settings from the CA-Exchange certificate. So revoke that cert cert and then start pkiview.msc again.

    • Marked as answer by Paolo Tedesco Wednesday, August 28, 2013 11:54 AM
    Tuesday, August 27, 2013 6:39 PM
  • Paolo,

    What check boxes do you have enabled for the OCSP URL.

    You should only have the Include in the Online Certificate Status protocol (OCSP) Extension check box enabled. Ensure that you do not have the include in the AIA extension of issued certificates check box enabled as well on the OCSP URL.

    Brian

    Wednesday, August 28, 2013 11:32 AM

All replies

  • Hi Paolo,

    have you installed and configured the Online Responder server role as well? Can you access the OCSP URL from a client e.g. by using a web browser?

    If you have further questions please share the information about the operating system you use and the URL you use.

    Regards,

    Lutz

    Tuesday, August 27, 2013 1:43 PM
  • Hi Lutz,

    Yes, I have installed the OCSP, but on another machine.

    As I said, if I check the certificate with certutil, it seems that it can access the OCSP correctly.

    I thought that the ocsp URL was supposed to be not accessible with a browser, isn't it so?

    Thanks,
    Paolo


    Paolo Tedesco - http://cern.ch/idm

    Tuesday, August 27, 2013 2:22 PM
  • What is your OCSP URL? http://pki.domain.com/ocsp

    You should not use "include in ARA extension .." because this is reserved to specifiy the URL for the CA certificate.

    Note, if you make changes to the extensions pkiview.msc will not pick them up right away, it is reading those settings from the CA-Exchange certificate. So revoke that cert cert and then start pkiview.msc again.

    • Marked as answer by Paolo Tedesco Wednesday, August 28, 2013 11:54 AM
    Tuesday, August 27, 2013 6:39 PM
  • Paolo,

    If certutil -url reports retrieved, then everything is alright.

    You can update the pkiview.msc console by revoking the last issued CA Exchange certificate.

    Then run certutil -caninfo xchg

    This generates a new CA exchange certificate and should report correctly for the OCSP URI.

    That being said, I always trust certutil -url and certutil -verify -urlfetch if they say everything is OK and pkiview does not report success.

    Brian

    Tuesday, August 27, 2013 7:24 PM
  • Hi Brian and Lutz,

    Thanks for your answers.

    I have tried the revocation trick, but nothing changed.
    On the other side, certutil manages to verify properly the status of the certificate, so I guess that's the important thing.

    About including OCSP in the AIA extension, I think that's correct, as clients use AIA extensions to determine OCSP URLs. If I look in one of the certificates issued by the CA, I can only find the OCSP URL in the AIA extension, so probably if I remove that clients will not be able to find it.

    AIA does not necessarily have to include *only* CA certificate distribution points, right?


    Paolo Tedesco - http://cern.ch/idm

    Wednesday, August 28, 2013 8:05 AM
  • Paolo,

    What check boxes do you have enabled for the OCSP URL.

    You should only have the Include in the Online Certificate Status protocol (OCSP) Extension check box enabled. Ensure that you do not have the include in the AIA extension of issued certificates check box enabled as well on the OCSP URL.

    Brian

    Wednesday, August 28, 2013 11:32 AM
  • Hi Brian,

    My fault, I should have checked this: http://social.technet.microsoft.com/wiki/contents/articles/3475.errata-in-windows-server-2008-pki-and-certificate-security-from-ms-press.aspx

    Thanks again for your help, everything in pkiview is ok now.

    Cheers,

    Paolo


    Paolo Tedesco - http://cern.ch/idm

    Wednesday, August 28, 2013 11:54 AM