Hello,
I have an incorrect config in my OCSP responder. I have a 2 tier PKI environment with Windows 2012 offline root CA and an enterprise 2012 issuing CA. I'm following the guide here to configure OCSP:
http://www.tech-coffee.net/public-key-infrastructure-part-8-ocsp-responder/
I've configured the OCSP role as mentioned, but hit an error during configuration - "Bad Signing Certificate" which I manually managed to get around by enrolling for the OCSP cert manually, changing my template configuration and rebooting. I've
configured the OCSP template as follows:
- validity 2 years
- compatibility 2012 (as the issuing CA and recipient CA is Windows 2012), I'm not sure if I need to choose XP/2003 for my older clients - I'm not planning on installing any OCSP roles on 2003, but I do have 2003 clients that use AD CS
- Added a computer group to the template with read, enroll and auto enroll permissions ("pki servers")
Currently certutil -url mycert.cer works as it shows a healthy OCSP AIA retrieval.
The OCSP management console on my enterprise CA shows as healthy.
PKI.view shows an error against OCSP
If I revoke a certificate and refresh it in the website browser the certificate does not immediately show as invalid - should it?
With OCSP is there caching that goes on/needs clearing and do I need to publish a new CRL for revoked certs?
Is it OK to use a custom certificate template with OCSP?
See screenshots below
Thanks
IT Support/Everything
