Windows Server TechCenter >

Windows Server Forums >

OCSP Error when trying to verify certificate from other domain computers

OCSP Error when trying to verify certificate from other domain computers

Friday, December 07, 2012 7:12 AM

0
Hi,

Currently, my I'm using a 2-tiered windows PKI with the offline standalone CA on windows 2012 servers. OCSP is being used to verify CA certificates. pkiview.exe gives no errors on the Enterprise CA.

An SSL cert has been issued on the Enterprise CA and then saved to a shared folder.

Running
```
certutil -verify -urlfetch ssl.cer
```
gives no errors from the Enterprise CA.

However, running the above from another domain PC gives the following error
```
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
```
The part that is in error from the certutil output is

---------------- Certificate OCSP ----------------
Unsuccessful "OCSP" Time: 0
[0.0] http://OVERWATCHD.labs.clearpixels.co.nz/ocsp

--------------------------------

The 2 firewall inbound rules for OCSP, D-Com In and RPC-In, has also been added.

Is there some additional permissions that must be set here?

Cheers,

Sean
- Edited by Sean llmt Friday, December 07, 2012 7:19 AM add some more details
- Reply
- Quote

All Replies

Friday, December 07, 2012 1:41 PM

0
OCSP server do not use nor RPC, nor DCOM for OCSP requests and responses, it uses HTTP protocol.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new: PowerShell FCIV tool.
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Tuesday, December 11, 2012 6:44 AM
- Reply
- Quote

Frequently asked questions - Forums help