locked
ocsp unsuccessful RRS feed

  • Question

  • Currently, my I'm using a 2-tiered windows PKI with the offline standalone CA on windows 2012 servers. OCSP is being used to verify CA certificates. pkiview.exe gives no errors on the Enterprise CA.

    An SSL cert has been issued on the Enterprise CA and then saved to a shared folder. this ocsp check is working fine from the server under associated AD. But its failing from other server both windows and Linux

    ---------------- Certificate OCSP ----------------
     Unsuccessful "OCSP" Time: 0
       [0.0] http://testserver.com/ocsp

     --------------------------------
     Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
    -url http://testserver.com/ocsp
    Error querying OCSP responder
    47287200207400:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:255:Code=404,Reason=Not Found


    Monday, October 17, 2016 12:54 PM

Answers

  • I would suspect firewall rules or something else are preventing machines other than the OCSP server from being able to reach port 80 to query OCSP.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Proposed as answer by Amy Wang_ Saturday, October 22, 2016 11:09 AM
    • Marked as answer by Amy Wang_ Tuesday, November 1, 2016 12:51 PM
    Monday, October 17, 2016 2:04 PM
  • As I mentioned, as long as the clients trust your root CA, which they would need to do anyway to use a Cert, they will trust your ocsp server. Domain has no bearing. Ocsp has no connection to AD or ldap.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Proposed as answer by Amy Wang_ Saturday, October 22, 2016 11:09 AM
    • Marked as answer by Amy Wang_ Tuesday, November 1, 2016 12:51 PM
    Monday, October 17, 2016 7:15 PM

All replies

  • I would suspect firewall rules or something else are preventing machines other than the OCSP server from being able to reach port 80 to query OCSP.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Proposed as answer by Amy Wang_ Saturday, October 22, 2016 11:09 AM
    • Marked as answer by Amy Wang_ Tuesday, November 1, 2016 12:51 PM
    Monday, October 17, 2016 2:04 PM
  • Hello,

    port 80 and 443 opened in firewall, do we required any other port ?. you can see that we are getting 404 that means able to communicate with server :( i believe, is there any any permission required to allow public connection ?

    Monday, October 17, 2016 2:58 PM
  • All OCSP queries are performed as anonymous on port 80. You can check the website authentication to ensure you are not requiring authentication.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Monday, October 17, 2016 3:50 PM
  • Hello,

    the website is running as anonymous and we opened Microsoft premium support case   but they are saying AD trust required to use ocsp between two domains :( i really don't understand this concept , if that is the case how can i use these ocsp based certificates on Linux environment   

    Monday, October 17, 2016 6:48 PM
  • What do you mean "between two domains"? As long as the clients performing the OCSP query against the OCSP server trust the PKI (where the OCSP certificate was issued from) that is all that matters. Trust has no bearings on OCSP.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Monday, October 17, 2016 6:50 PM
  • Hello

    we have two domains  the ocsp servers hosted under 1st domain(abc.com) and the clients are under 2nd domain(test.com) ,also we have standalone linux servers and devices acting as client in this case can we use microsoft ocsp responder or do i need to think any other solution?

    Thanks for your update

    Monday, October 17, 2016 7:11 PM
  • As I mentioned, as long as the clients trust your root CA, which they would need to do anyway to use a Cert, they will trust your ocsp server. Domain has no bearing. Ocsp has no connection to AD or ldap.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Proposed as answer by Amy Wang_ Saturday, October 22, 2016 11:09 AM
    • Marked as answer by Amy Wang_ Tuesday, November 1, 2016 12:51 PM
    Monday, October 17, 2016 7:15 PM
  • Thanks for the update,we already imported root and issuing certificates to the trust store still its failing :( .  I am not sure why Microsoft Support asking for AD/LDAP connection/ trust :(
    Monday, October 17, 2016 7:21 PM
  • Unfortunately that doesn't surprise me. You may need to ask for an escalation with a call back.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Monday, October 17, 2016 7:22 PM
  • Hi,

    Kindly let us know if there's any progress with MS.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, October 22, 2016 11:10 AM