locked
Failing OCSP location RRS feed

  • Question

  • Hello,

    I have CS running on Win2008 R2.

    I have enabled AIA http location to be included in OCSP extension of certificates, which added a new OCSP location to PKIView. However, it fails with "error". When tracing with IIS, it shows that it attempts to retrieve url twice, and both times it fails:

    1. First time it attempts to retrieve URL using GET method, but instead of only getting the url, it appends /<base64encodedbinarydata>, and thus fails with 404
    2. Second time it attempts to retrieve url using POST method, this time correct url, but post method is not allowed on /CertEntroll, and thus fails with 405

    What is going on here? Why does it append some kind of binary data to url?
    Monday, February 8, 2010 2:31 PM

Answers

  • You cannot test OCSP by loading the URL in a browser (you will always get a 500 error)
    You need to test it by doing the following:
    1) export a certificate that has the OCSP url in the AIA extension
    2) at an Admin command prompt, run certutil -url CertFile.crt
    3) In the Retrieve box, select OCSP (from AIA) and then click Retrieve
    4) ensure that the Status is OK.

    This does a proper submission of an OCSP request and response from the responder.
    Brian
    • Proposed as answer by Brian Komar [MVP] Monday, February 22, 2010 12:10 AM
    • Marked as answer by Tim Quan Friday, February 26, 2010 10:40 AM
    Monday, February 22, 2010 12:10 AM

All replies

  • You need to look in the OCSP Responder Management console.
    1) When you look at the revocation configuration, does it report an OK status
    2) Can you Refresh the revocation information.
    3) Sometimes, I have found that generating a new CA Exchange certificate works (at the CA, run certutil -cainfo xchg)

    Monday, February 8, 2010 3:30 PM
  • I got it working. I think it was caused by ocsp virtual directory in iis requiring SSL, and me only adding http link to aia.

    But now I have another issue - I generated two useless CA certificates during debugging. Now I have loads of files in CertEnroll dir. How do I delete unneeded CA certificates?
    Monday, February 8, 2010 4:54 PM
  • Deleted
    Monday, February 8, 2010 5:04 PM
  • AIA might also fail because of SSL requirement..
    Monday, February 8, 2010 6:01 PM
  • You cannot use SSL to protect:
    1) HTTP or LDAP URLS in the CDP extension
    2) HTTP or LDAP URLs in the AIA extension
    3) OCSP Responder URLs
    Brian
    Tuesday, February 9, 2010 1:35 AM
  • Yea, I was just saying that some of services you can have on your CA server might set default IIS website to require SSL, and thus make CDP/AIA/OCSP urls fail :)
    Tuesday, February 9, 2010 6:12 PM
  • > Yea, I was just saying that some of services you can have on your CA server might set default IIS website to require SSL, and thus make CDP/AIA/OCSP urls fail

    this is why I always reate separate web sites for PKI stuff: one for CRL/CRT files, second for OCSP responder (or combine OCSP with CRL/CRT) and third for CEP/CES services. Usually services enable HTTPS requirement for default web site (you should avoid to use Default web site).
    http://www.sysadmins.lv
    Tuesday, February 9, 2010 8:40 PM
  • Whats the easiest way to move those PKI services to a separate website? Knowing that by default role mechanism creates them on default website :(
    Wednesday, February 10, 2010 9:28 AM
  • I do it manually (by editing applicationhost.config file). Unfortunately there is no standard mechanism to do it :(
    http://www.sysadmins.lv
    Wednesday, February 10, 2010 8:58 PM
  • Thanks for posting a follow up, I have a similar issue but it states AIA location unable to download and also get a page 500 error with the OCSP virtual folder empty.  I will see if I can get it working with this extra bit of information.


    David,

    Did you ever figure out why the OCSP virtual folder is empty? I am having the same issue and pulling my hair out over it. I've triple-checked my config, uninstalled/reinstalled OCSP a bunch of times... can't figure it out.

    SSL is not required in IIS. But that shouldn't matter anyway because the 500 error seems to be caused by the OCSP folder being blank/empty.

    Thanks,
    Frank
    Sunday, February 21, 2010 8:28 PM
  • You cannot test OCSP by loading the URL in a browser (you will always get a 500 error)
    You need to test it by doing the following:
    1) export a certificate that has the OCSP url in the AIA extension
    2) at an Admin command prompt, run certutil -url CertFile.crt
    3) In the Retrieve box, select OCSP (from AIA) and then click Retrieve
    4) ensure that the Status is OK.

    This does a proper submission of an OCSP request and response from the responder.
    Brian
    • Proposed as answer by Brian Komar [MVP] Monday, February 22, 2010 12:10 AM
    • Marked as answer by Tim Quan Friday, February 26, 2010 10:40 AM
    Monday, February 22, 2010 12:10 AM
  • Deleted
    Monday, February 22, 2010 7:34 AM
  • Hello all,

    Does anybody if there is any way to actually publish a CDP to an SSL site, I would like my client to access the CRL over SSL rather than HTTP. Can it be done or is this not in the nature of CRL?

    Many thanks
    Tuesday, March 16, 2010 6:38 PM
  • > Does anybody if there is any way to actually publish a CDP to an SSL site

    you don't want to do it. CRL's must be published to unsecured HTTP locations and never to SSL-secured locations.
    http://www.sysadmins.lv
    Tuesday, March 16, 2010 6:47 PM