locked
OCSP good on 1 server, bad on another RRS feed

  • Question

    • I have 2 Online Responders installed on 2 issuing CAs.  I also have an offline Root CA.
    • Online responder on Issuing CA1 is the Online Responder Array Controller
    • Issuing CA2 has the Online Responder installed, but (I assume) controlled by the Array Controller.

    In the Enterprise PKI:

    • CA2 and Root CA - Everthing works except the OCSP Location #1 and OCSP Location #2
    • CA1 is golden, everything is working perfectly even the OCSP location #1 and #2 (exact same URL path as CA2 and Root CA)

    Why is OCSP working for 1 CA but not the others?

    Thanks!

    Monday, August 27, 2012 9:26 PM

Answers

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    I understand that OCSP location is working properly on Issuing CA1 which is the Online Responder Array Controller but not working on CA2 and Root CA.

    The problem can be related to the Responder Array setting. 

    Here is an article which might be useful to you during the troubleshooting:

    Online Responder Installation, Configuration, and Troubleshooting Guide

    http://technet.microsoft.com/en-us/library/cc770413(v=ws.10).aspx

    Also please check the information in the thread below to see whether it can help:

    OCSP Location Error PKI

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/0466a65a-b118-4758-8c87-0ba25f060df3/

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    • Edited by 朱鸿文 Tuesday, August 28, 2012 2:13 AM
    • Marked as answer by TE2011 Tuesday, August 28, 2012 5:29 PM
    Tuesday, August 28, 2012 2:12 AM

All replies

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    I understand that OCSP location is working properly on Issuing CA1 which is the Online Responder Array Controller but not working on CA2 and Root CA.

    The problem can be related to the Responder Array setting. 

    Here is an article which might be useful to you during the troubleshooting:

    Online Responder Installation, Configuration, and Troubleshooting Guide

    http://technet.microsoft.com/en-us/library/cc770413(v=ws.10).aspx

    Also please check the information in the thread below to see whether it can help:

    OCSP Location Error PKI

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/0466a65a-b118-4758-8c87-0ba25f060df3/

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    • Edited by 朱鸿文 Tuesday, August 28, 2012 2:13 AM
    • Marked as answer by TE2011 Tuesday, August 28, 2012 5:29 PM
    Tuesday, August 28, 2012 2:12 AM
  • I replaced my OCSP templates with 2008 v3 templates and granted the NETWORK SERVICE read access to the certificate in the template.

    After waiting an hour or so both CA's showed OK for both on-line responders.

    Thanks for the help Kevin!

    Tuesday, August 28, 2012 5:33 PM
  • Glad to hear that the problem was resolved. :) Thanks for sharing your experience.

    Regards

    Kevin
    Wednesday, August 29, 2012 2:29 AM