none
OCSP Location #1 Error

Answers

  • Sometimes it is due to a stale CA Exchange certificate

    1) Revoke your latest CA Exchange certificate

    2) Open an Administrative command prompt

    3) Run certutil -cainfo xchg

    4) Go back to PKIView and see if the status is OK

    Brian

    Tuesday, January 17, 2012 1:25 PM

All replies

  • Sometimes it is due to a stale CA Exchange certificate

    1) Revoke your latest CA Exchange certificate

    2) Open an Administrative command prompt

    3) Run certutil -cainfo xchg

    4) Go back to PKIView and see if the status is OK

    Brian

    Tuesday, January 17, 2012 1:25 PM
  • I will check that out. Also, are there any requirements for the website name for the OCSP Responder? I was just using a CNAME record pointing to the server itself. Does the name need to be http://ServerFQDN/ocsp ?
    Tuesday, January 17, 2012 4:09 PM
  • Revoking and reissuing the CAExchange certificate resolved the same issue for me. Just figured I would put it out there for people like me that like confirmation when mod sets the answer for a thread instead of the original poster.

    Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

    Friday, June 14, 2013 8:07 PM
  • CNAME is fine. I typically deploy an array of two or more OCSP servers behind a load balancer and use ocsp.example.com on the load balancer.

    Brian

    Saturday, June 15, 2013 2:08 PM
  • BACKGROUND: I have a 2-tier Windows 2008 R2 PKI (Root CA (offline) & 2 Issuing CAs)- I have also installed OCSP role on both Issuing CAs. The OCSP service is load balanced (F5 LB)- VIP (http://ocsp.xxx.xx/ocsp)- I have added the VIP address to both of the issuing CAs AIA extention and enabled "include OCSP extension"

    PROBLEM: When i perform a OCSP test via (certutil -url xxxx.cer) command from a certificate issued from CA2, i get a positive OCSP check "Verified" However, when i do the same test from CA1, the OCSP response i get back is "unsuccessful" - Using PKIView.msc, CA2 shows "OCSP Location #1" as OK and CA1 shows "OCSP Location #1" as Error

    Any help is welcome!

    RG

    Thursday, May 08, 2014 8:10 PM
  • In order for this to work, then both  OCSPs must have a OCSP signing certificate from EACH ca. So that means the OCSP on CA1 needs a signing certificate from CA1 and C2. The OCSP on CA2 also needs a signing certificate from CA1 and CA2.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Friday, May 09, 2014 6:37 AM
  • Mark- Thank you very much for your help- Resolved my issue!
    Saturday, May 10, 2014 7:09 PM
  • I have a 2 tier Windows 2012 R2 PKI setup with and offline Root CA and 2 Issuing CAs. I've also installed the OCSP role on both Issuing CAs. And also, the OCSP service is load balanced - using the Windows NLB feature (this is a prototype setup, in production, in will be an F5 LB). The virtual IP uses the address (http://pki.xxx.xx/ocsp) and this address has been added to the extensions of both issuing CAs AIA extension and enabled 'include in OCSP extension'.

    I've read your response to RG. I don't see a way to add a second OCSP signing cert to each CA, simply because there's only one shared revocation configuration for both members of the Online Responder array. The closest I can get to a second OCSP cert was to reconfigure the revocation configuration a few times so that had a OCSP cert from each CA had been issued, and to configure the current revocation configuration on the signing tab to use any valid OCSP signing certificate. Maybe this is different on the Windows 2008 server?

    The Online Responder is configured with both CAs and all is green.

    The problem is that when I use the PKIView tool. When I run the tool on CA1, I see both CA1 & CA2. CA1 is fine, however on CA2, the OCSP location has the status of 'Error'. Using "certutil -url CAx.crt", both CA1 & CA2 return "unsuccessful" retrieving the OCSP.

    Tuesday, August 05, 2014 10:07 PM
  • Robert, re your questions: I don't see a way to add a second OCSP signing cert to each CA, simply because there's only one shared revocation configuration for both members of the Online Responder array.

    If you use an OCSP Responder (or Array) with two CAs you need two distinct Revocation Configurations - one for each CA. So each member of the array enrolls for a certificate from either CA.

    If it is an array both of these configurations show up on both members.

    You don't reconfigure an existing config. with a certificate issued by the other CA (that's how I understood your comment). But when you create each configuration an OCSP Signing certificate from the proper CA is requested - the CA whose certificate you picked when creating that configuration.

    You say The Online Responder is configured with both CAs and all is green.

    It is important that there are "two green check marks", one for each configuration.

    Actually, it is one configuration per key used by a CA - so if these two CAs will ever be renewed with new keys you need to create two new configurations and 4 distinct configs. should be visible, replicated to both members.

    Edit: One more clarification on the signing cert: When you replicate the config. in the array and you configured Autoenrollment the second member will enroll for its individual OCSP Signing Certificates.

    • Edited by Elke Stangl Tuesday, August 05, 2014 10:35 PM More details on signing cert. "replication"
    Tuesday, August 05, 2014 10:32 PM