Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Bad Signing on Array Controller was shown when reboot OCSP service

คำตอบ Bad Signing on Array Controller was shown when reboot OCSP service

  • Thursday, December 27, 2012 2:28 PM
     
     
    Sign In to Vote
    0

    Hi Experts

    set up 3 CAs(not MS CA) , key pairs are generated on HSM.

    followed instruction ,http://www.forum.persianadmins.ir/showthread.php?t=12375

    The issue is not happened 100% but when reboot OCSP service  then Revocation Configuration Status says “Bad Signing on Array Controller”..

    to recover from this status, need to run “Assign a signing certificate” which I run during setup phase.

    For trouble shooting,

    first  I doubt the HSM so enable HSM  library logs but it did not include any error , finding 3 key pairs.

    next, I checked event log of CAPI2 but it also did not report any error.

    so only OCSP responder application says “Bad Signing on Array Controller”

    As I mentioned I could recover by running  “Assign a signing certificate” again but bit uncomfortable to understand the reason

    could you advice why OCSP responder application says “Bad Signing on Array Controller” when reboot OCSP service?

    Regards

    Y

     

All Replies

  • Thursday, December 27, 2012 6:35 PM
     
     Answered
    Sign In to Vote
    0

    You may have to setup a dependency between the OCSP service (ocspsvc) and your HSM's service

    What is probably happening is that the OCSP service is starting prior to the HSM's service and cannot access the private key).

    Try running sc config ocspsvc depend= "HSMServiceName"

    This has worked for my customers

    Brian

     
  • Monday, December 31, 2012 6:50 AM
    Moderator
     
     
    Sign In to Vote
    0
    Hi,
     
    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
      
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
      
    Best Regards
      
    Kevin
     
  • Monday, December 31, 2012 11:07 AM
     
     
    Sign In to Vote
    0

    Hi Brian , Kevin

    Thanks update, i am working with HSM support team . so far we found there is no HSM service.

    could you advice me it is possible to enable OCSP application debug log except for Windows Event Viewer?

    Regards


     
  • Monday, December 31, 2012 11:17 AM
     
     
    Sign In to Vote
    0

    Ummm. every HSM has a service.

    What type of HSM are you running?

    Brian

     
  • Thursday, January 03, 2013 4:38 AM
     
     
    Sign In to Vote
    0

    I am using below SafeNet HSM

    http://www.google.co.jp/url?sa=t&rct=j&q=protect%20server%20internal%20express&source=web&cd=1&ved=0CDMQFjAA&url=http%3A%2F%2Fwww.safenet-inc.com%2FWorkArea%2FDownloadAsset.aspx%3Fid%3D8589947282%26LangType%3D2057&ei=DAvlUOLiBMnLlAXP4ICQAQ&usg=AFQjCNEIdhazlFN6juoWn-rypWjwVmUnBg&bvm=bv.1355325884,d.dGI

    Regards

    Y