none
OCSP Location #1 Error

Answers

  • Sometimes it is due to a stale CA Exchange certificate

    1) Revoke your latest CA Exchange certificate

    2) Open an Administrative command prompt

    3) Run certutil -cainfo xchg

    4) Go back to PKIView and see if the status is OK

    Brian

    Tuesday, January 17, 2012 1:25 PM

All replies

  • Sometimes it is due to a stale CA Exchange certificate

    1) Revoke your latest CA Exchange certificate

    2) Open an Administrative command prompt

    3) Run certutil -cainfo xchg

    4) Go back to PKIView and see if the status is OK

    Brian

    Tuesday, January 17, 2012 1:25 PM
  • I will check that out. Also, are there any requirements for the website name for the OCSP Responder? I was just using a CNAME record pointing to the server itself. Does the name need to be http://ServerFQDN/ocsp ?
    Tuesday, January 17, 2012 4:09 PM
  • Revoking and reissuing the CAExchange certificate resolved the same issue for me. Just figured I would put it out there for people like me that like confirmation when mod sets the answer for a thread instead of the original poster.

    Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

    Friday, June 14, 2013 8:07 PM
  • CNAME is fine. I typically deploy an array of two or more OCSP servers behind a load balancer and use ocsp.example.com on the load balancer.

    Brian

    Saturday, June 15, 2013 2:08 PM
  • BACKGROUND: I have a 2-tier Windows 2008 R2 PKI (Root CA (offline) & 2 Issuing CAs)- I have also installed OCSP role on both Issuing CAs. The OCSP service is load balanced (F5 LB)- VIP (http://ocsp.xxx.xx/ocsp)- I have added the VIP address to both of the issuing CAs AIA extention and enabled "include OCSP extension"

    PROBLEM: When i perform a OCSP test via (certutil -url xxxx.cer) command from a certificate issued from CA2, i get a positive OCSP check "Verified" However, when i do the same test from CA1, the OCSP response i get back is "unsuccessful" - Using PKIView.msc, CA2 shows "OCSP Location #1" as OK and CA1 shows "OCSP Location #1" as Error

    Any help is welcome!

    RG

    Thursday, May 08, 2014 8:10 PM
  • In order for this to work, then both  OCSPs must have a OCSP signing certificate from EACH ca. So that means the OCSP on CA1 needs a signing certificate from CA1 and C2. The OCSP on CA2 also needs a signing certificate from CA1 and CA2.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Friday, May 09, 2014 6:37 AM
  • Mark- Thank you very much for your help- Resolved my issue!
    Saturday, May 10, 2014 7:09 PM