Thursday, December 27, 2012 2:28 PM
set up 3 CAs(not MS CA) , key pairs are generated on HSM.
followed instruction ,http://www.forum.persianadmins.ir/showthread.php?t=12375
The issue is not happened 100% but when reboot OCSP service then Revocation Configuration Status says “Bad Signing on Array Controller”..
to recover from this status, need to run “Assign a signing certificate” which I run during setup phase.
For trouble shooting,
first I doubt the HSM so enable HSM library logs but it did not include any error , finding 3 key pairs.
next, I checked event log of CAPI2 but it also did not report any error.
so only OCSP responder application says “Bad Signing on Array Controller”
As I mentioned I could recover by running “Assign a signing certificate” again but bit uncomfortable to understand the reason
could you advice why OCSP responder application says “Bad Signing on Array Controller” when reboot OCSP service?
Thursday, December 27, 2012 6:35 PM
You may have to setup a dependency between the OCSP service (ocspsvc) and your HSM's service
What is probably happening is that the OCSP service is starting prior to the HSM's service and cannot access the private key).
Try running sc config ocspsvc depend= "HSMServiceName"
This has worked for my customers
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Monday, December 31, 2012 6:50 AM
Monday, December 31, 2012 6:50 AMModeratorHi,
As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
Monday, December 31, 2012 11:07 AM
Hi Brian , Kevin
Thanks update, i am working with HSM support team . so far we found there is no HSM service.
could you advice me it is possible to enable OCSP application debug log except for Windows Event Viewer?
Monday, December 31, 2012 11:17 AM
Ummm. every HSM has a service.
What type of HSM are you running?
Thursday, January 03, 2013 4:38 AM
I am using below SafeNet HSM