locked
OCSP Location Error PKI RRS feed

  • Question

  • Hi, im have got a problem with PKI on Windows server 2008 R2

    Im create lab with Windows Server 2008 R2 (Active Direcotry, DNS, Root CA). Disable internal firewall, and full windows update with SP1

     

    On Pki tab im see: AIA - status OK, CDP - status OK, OCSP - Error - http://catest.contoso.com/ocsp

    On settings AIA im with http://<serverDNSName>/ocsp - with only option Include AIA oraz include OCSP

    Im run Certuti witch switches:

    Certutil -verify -urlfetch hydra.cer

     -------------------------------------
    Verified "Delta CRL (05)" Time: 0
    [0.0.0] http://catest.contoso.com/CertEnroll

    /rootca+.crl

    Verified "Base CRL (05)" Time: 0
    [1.0] http://catest.contoso.com/CertEnroll/rootca.crl

    Verified "Delta CRL (05)" Time: 0
    [1.0.0] http://catest.contoso.com/CertEnroll/rootca+.crl

    ----------------  Base CRL CDP  ----------------
    OK "Delta CRL (01)" Time: 0
    [0.0] http://catest.contoso.com/CertEnroll/rootca+.crl

    ----------------  Certificate OCSP  ----------------
    Failed "OCSP" Time: 0
    Error retrieving URL: Error 0x801901f4 (-2145844748)
    http://catest.contoso.com/ocsp


    --------------------------------

    This problem is write also on

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/10060ec2-d783-4ce9-b0f7-d6142dbb420a

     

    Please help

     


    Wednesday, March 2, 2011 7:32 AM

Answers

  • Hi,

    Im try run on production systems and all works :)

    Im use again step by step great manual:

    http://blogs.technet.com/b/askds/archive/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp.aspx

    Im think that im forgot in my lab one settings:

    Regardless you will have to the give permissions to the private key of the OCSP Signing Certificate to the Network Service Account since that is the identity under which the service runs. If you are using the OCSP with a Windows Server 2008 Enterprise CA, in the Request Handling tab of a Version 3 Certificate Template there is the option to Add Read permissions to Network Service on the private key . This option is enabled by default on the OCSP Response Signing template.

     

     

    Thanks for all help

    • Marked as answer by A GG Thursday, March 3, 2011 1:12 PM
    Thursday, March 3, 2011 1:11 PM

All replies

  • What does the Online Responder MMC say? Does it say that OCSP is working?

    In that case, close pkiview.msc, revoke the CA's "CA Exchange" certificates, publish new CRL's and try to open pkiview.msc again.


    // Fredrik "DXter" Jonsson - http://www.poweradmin.se
    Wednesday, March 2, 2011 8:08 AM
  • Hi

    Online responder says:

    Signing certificate: OK

    Revocation Provider Status:
    Type: Microsoft CRL-based revocation status provider
    The revocation provider failed with the current configuration. The data is invalid. 0x8007000d (WIN32: 13), 0x8007000d

     

    Revocation Configuration / Revocation Provider Properties:
    http://catest.contoso.com/CertEnroll/rootca.crl
    ldap:///CN=rootca,CN=CAtest,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=contoso,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

    In that case, close pkiview.msc, revoke the CA's "CA Exchange" certificates, publish new CRL's and try to open pkiview.msc again.
    Im do it, when im revoke CA Exchange, when im refresh it will bring back

     

    but im still see on Enterprise PKI error location OCSP:

     

    Certutil -verify -urlfetch exchange.cer

    Issuer:
        CN=rootca
        DC=contoso
        DC=com
    Subject:
        CN=rootca-Xchg
        DC=contoso
        DC=com
    Cert Serial Number: 61481f7000000000000a

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 22 Hours, 26 Minutes, 38 Seconds

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 22 Hours, 26 Minutes, 38 Seconds

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
      Issuer: CN=rootca, DC=contoso, DC=com
      NotBefore: 3/2/2011 9:16 AM
      NotAfter: 3/9/2011 9:26 AM
      Subject: CN=rootca-Xchg, DC=contoso, DC=com
      Serial: 61481f7000000000000a
      Template: CAExchange
      Template: CA Exchange
      e9 b3 5a f2 a1 f3 3e cc 96 06 b1 1d 44 7e 8d 4a af d7 a6 e4
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      Verified "Certificate (0)" Time: 0
        [0.0] ldap:///CN=rootca,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=contoso,DC=com?cACertificate?base?objectClass=certificationAuthority

      Verified "Certificate (0)" Time: 0
        [1.0] http://catest.contoso.com/CertEnroll/catest.contoso.com_rootca.crt

      ----------------  Certificate CDP  ----------------
      Verified "Base CRL (05)" Time: 0
        [0.0] ldap:///CN=rootca,CN=CAtest,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=contoso,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

      Verified "Delta CRL (05)" Time: 0
        [0.0.0] http://catest.contoso.com/CertEnroll/rootca+.crl

      Verified "Base CRL (07)" Time: 0
        [1.0] http://catest.contoso.com/CertEnroll/rootca.crl

      Verified "Delta CRL (07)" Time: 0
        [1.0.0] http://catest.contoso.com/CertEnroll/rootca+.crl

      ----------------  Base CRL CDP  ----------------
      OK "Delta CRL (01)" Time: 0
        [0.0] http://catest.contoso.com/CertEnroll/rootca+.crl

      ----------------  Certificate OCSP  ----------------
      Failed "OCSP" Time: 0
        Error retrieving URL: Error 0x801901f4 (-2145844748)
        http://catest.contoso.com/ocsp

      Failed "OCSP" Time: 0
        Error retrieving URL: Error 0x801901f4 (-2145844748)
        http://catest.contoso.com/ocsp

      Failed "OCSP" Time: 0
        Error retrieving URL: Error 0x801901f4 (-2145844748)
        http://catest/ocsp


      --------------------------------
        CRL 05:
        Issuer: CN=rootca, DC=contoso, DC=com
        fc 73 91 96 a6 32 5d 17 83 8d c6 c6 c3 e9 81 26 35 12 74 26
        Delta CRL 01:
        Issuer: CN=rootca, DC=contoso, DC=com
        6a b8 01 03 f6 ae e1 48 45 5a a1 e4 1c 67 f6 6b f0 c6 5b c5
      Application[0] = 1.3.6.1.4.1.311.21.5 Private Key Archival

    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=rootca, DC=contoso, DC=com
      NotBefore: 3/1/2011 11:02 AM
      NotAfter: 3/1/2031 11:12 AM
      Subject: CN=rootca, DC=contoso, DC=com
      Serial: 3918baa25d7ed9884e5a6f89384b654f
      Template: CA
      7f 93 91 69 9a 20 be 91 23 b2 3f 2b d8 f0 50 56 0c 29 56 41
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0
      --------------------------------

    Exclude leaf cert:
      11 7d 7a 14 6f d4 75 97 02 ac 37 61 f2 e0 56 ff 1b 7a 6d dc
    Full chain:
      25 0b 1c 06 46 e0 16 7d bc 52 03 cd 31 ec 9b 5d cb 81 0a 5d
    ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
        1.3.6.1.4.1.311.21.5 Private Key Archival
    Leaf certificate revocation check passed
    CertUtil: -verify command completed successfully.

     

     

    Wednesday, March 2, 2011 8:32 AM
  • You should get a new CA Exchange certificate after you open pkiview.msc if you have revoked the old CA Exchange certificate(s) and published new CRL's.

    It looks like that you have multiple OCSP responders in your AIA configuration. Are they really correct?


    // Fredrik "DXter" Jonsson - http://www.poweradmin.se
    Wednesday, March 2, 2011 8:55 AM
  • You should get a new CA Exchange certificate after you open pkiview.msc if you have revoked the old CA Exchange certificate(s) and published new CRL's.

    Yes, its works, the new certificate exchange are issued

     

    On AIA specification im add:

    http://<serverDNSName>/ocsp - with only option Include AIA oraz include OCSP
    http://catest.contoso.com/ocsp
    - with only option Include AIA oraz include OCSP
    http://catest/ocsp - with only option Include AIA oraz include OCSP

    Site IIS is default web site

     

    ------------  Certificate OCSP  ----------------
      Failed "OCSP" Time: 0
        Error retrieving URL: Error 0x801901f4 (-2145844748)
        http://catest.contoso.com/ocsp

      Failed "OCSP" Time: 0
        Error retrieving URL: Error 0x801901f4 (-2145844748)
        http://catest.contoso.com/ocsp

      Failed "OCSP" Time: 0
        Error retrieving URL: Error 0x801901f4 (-2145844748)
        http://catest/ocsp



    Wednesday, March 2, 2011 9:04 AM
  • its log from iis site:

    011-03-02 08:29:23 fe80::91ad:8bb0:a17c:ae89%10 GET /CertEnroll/rootca.crl - 80 - fe80::91ad:8bb0:a17c:ae89%10 Microsoft-CryptoAPI/6.1 200 0 0 0
    2011-03-02 08:29:23 fe80::91ad:8bb0:a17c:ae89%10 GET /CertEnroll/rootca+.crl - 80 - fe80::91ad:8bb0:a17c:ae89%10 Microsoft-CryptoAPI/6.1 304 0 0 0
    2011-03-02 08:29:23 fe80::91ad:8bb0:a17c:ae89%10 GET /CertEnroll/rootca+.crl - 80 - fe80::91ad:8bb0:a17c:ae89%10 Microsoft-CryptoAPI/6.1 304 0 0 0
    2011-03-02 08:29:23 fe80::91ad:8bb0:a17c:ae89%10 POST /ocsp - 80 - fe80::91ad:8bb0:a17c:ae89%10 Microsoft-CryptoAPI/6.1 200 0 0 0
    2011-03-02 08:29:23 fe80::91ad:8bb0:a17c:ae89%10 POST /ocsp - 80 - fe80::91ad:8bb0:a17c:ae89%10 Microsoft-CryptoAPI/6.1 200 0 0 15
    2011-03-02 08:29:23 fe80::91ad:8bb0:a17c:ae89%10 POST /ocsp - 80 - fe80::91ad:8bb0:a17c:ae89%10 Microsoft-CryptoAPI/6.1 200 0 0 31
    2011-03-02 08:31:30 fe80::91ad:8bb0:a17c:ae89%10 GET /CertEnroll/rootca.crl - 80 - fe80::91ad:8bb0:a17c:ae89%10 Microsoft-CryptoAPI/6.1 200 0 0 0
    2011-03-02 08:31:34 fe80::91ad:8bb0:a17c:ae89%10 GET /CertEnroll/rootca+.crl - 80 - fe80::91ad:8bb0:a17c:ae89%10 Microsoft-CryptoAPI/6.1 200 0 0 0
    2011-03-02 08:36:39 fe80::91ad:8bb0:a17c:ae89%10 GET /CertEnroll/rootca.crl - 80 - fe80::91ad:8bb0:a17c:ae89%10 Microsoft-CryptoAPI/6.1 200 0 0 0
    2011-03-02 08:36:43 fe80::91ad:8bb0:a17c:ae89%10 GET /CertEnroll/rootca+.crl - 80 - fe80::91ad:8bb0:a17c:ae89%10 Microsoft-CryptoAPI/6.1 200 0 0 0

    Wednesday, March 2, 2011 9:06 AM
  • It looks like you have missed Delta CRL information on OCSP revocation provider settings. Instead of LDAP try to set HTTP URLs for both Base and Delta CRL.


    http://en-us.sysadmins.lv
    Wednesday, March 2, 2011 4:38 PM
  •  

    Hi, im add to Revocation Configuration/Revocation Providers/Settings/:

    Im see ldap:///CN=rootca,CN=CAtest,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=contoso,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

    Im add:
    base crl: http://catest.contoso.com/CertEnroll/rootca.crl
    delta crl: http://catest.contoso.com/CertEnroll/rootca+.crl

     

    Certutil -verify -urlfetch ocsp.cer:

    Issuer:
        CN=rootca
        DC=contoso
        DC=com
    Subject:
        CN=catest.contoso.com
    Cert Serial Number: 15048ab600000000000c

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=40
      Issuer: CN=rootca, DC=contoso, DC=com
      NotBefore: 3/3/2011 9:21 AM
      NotAfter: 3/17/2011 9:21 AM
      Subject: CN=catest.contoso.com
      Serial: 15048ab600000000000c
      SubjectAltName: DNS Name=catest.contoso.com
      Template: OCSP Response Signing Template
      3c 3f 4f bc bf 5a 80 28 4d d2 70 ba c3 df ee 25 8b 4c c0 11
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0
      --------------------------------
      Application[0] = 1.3.6.1.5.5.7.3.9 OCSP Signing

    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=rootca, DC=contoso, DC=com
      NotBefore: 3/1/2011 11:02 AM
      NotAfter: 3/1/2031 11:12 AM
      Subject: CN=rootca, DC=contoso, DC=com
      Serial: 3918baa25d7ed9884e5a6f89384b654f
      Template: CA
      7f 93 91 69 9a 20 be 91 23 b2 3f 2b d8 f0 50 56 0c 29 56 41
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0
      --------------------------------

    Exclude leaf cert:
      3c 3f 4f bc bf 5a 80 28 4d d2 70 ba c3 df ee 25 8b 4c c0 11
    Full chain:
      8c be e2 ce 62 92 9e 23 e2 98 d3 4a d9 b0 b2 b1 54 2b 32 44
      Issuer: CN=rootca, DC=contoso, DC=com
      NotBefore: 3/3/2011 9:21 AM
      NotAfter: 3/17/2011 9:21 AM
      Subject: CN=catest.contoso.com
      Serial: 15048ab600000000000c
      SubjectAltName: DNS Name=catest.contoso.com
      Template: OCSP Response Signing Template
      3c 3f 4f bc bf 5a 80 28 4d d2 70 ba c3 df ee 25 8b 4c c0 11
    The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614)
    ------------------------------------
    Revocation check skipped -- no revocation information available
    Cannot check leaf certificate revocation status
    CertUtil: -verify command completed successfully.

     

    I dont have got any idea , why not work :/
    Is
    someone working at the OCSP on windows 2008 r2 ?

    Thursday, March 3, 2011 8:44 AM
  • this is correct output for OCSP signing certificate, because it MUST NOT contains CDP/AIA extensions.

    Just to confirm. Does Network Service has Read permissions on OCSP certificate private key?


    http://en-us.sysadmins.lv
    Thursday, March 3, 2011 9:50 AM
  • Hi,

    Im try run on production systems and all works :)

    Im use again step by step great manual:

    http://blogs.technet.com/b/askds/archive/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp.aspx

    Im think that im forgot in my lab one settings:

    Regardless you will have to the give permissions to the private key of the OCSP Signing Certificate to the Network Service Account since that is the identity under which the service runs. If you are using the OCSP with a Windows Server 2008 Enterprise CA, in the Request Handling tab of a Version 3 Certificate Template there is the option to Add Read permissions to Network Service on the private key . This option is enabled by default on the OCSP Response Signing template.

     

     

    Thanks for all help

    • Marked as answer by A GG Thursday, March 3, 2011 1:12 PM
    Thursday, March 3, 2011 1:11 PM