locked
OCSP configuration not working RRS feed

  • Question

  • Hi,

    I am running two CA's, one is the rootca (running windows 2008 standard), and the other is the issuing ca (running windows 2008 enterprise).

    I am following the pki installation in Brian Komar's book, and when completing the issuing ca config, I added the ocsp location (<a href="http:///ocsp">http://<dnsserverfqdn>/ocsp) to the post installation config script which added the line into the AIA section. I only selected the include in the online certificate status protocol extension

    I then installed the ocsp role, and selected to issue the OCSP Response signing certificate template(gave the issuing server read and enroll security permission). This then sits in the certificate templates hive of the certificate authority.

    I ran certutil -setreg ca\UseDefinedCACertInRequest 1, restarted CS

    Next on the online responder - left the web proxy settings and security as default and changed the audit settings.

    Created a Revocation Configuration by using: On CA Certification Location page - Select a Certificate for an existing CA, on choose CA certificate page, selected browse CA by name, which appears and I selected it, On the Select Signing Certificate page I selected Auto-enroll, and the certificate authority was correct, certificate template I chose OCSResponseSigning. Installation then finishes.

    When I then open the online responder, it says OCSP Revocation Config 1: Bad signing certificate on Array Controller

    Revocation Configuration says Automatically enrolled, and is using the ocsprespnsesigning template. I can view the certificate details and path says ok. If I click on Properties, then signing tab it says Hash algorithm: "Bad signing certificate"

    Array configuration says Online

    Under the server name it says Signing Certificate: The data necessary to complete this operation is not yet availavle (Exception from HRESULT: 0x80000000A)

    I have tried rebooting, and revoking the issuing CA certificate, but OCSP is still not working.

    I have also tried starting again by removing the OCSP line from the AIA url, rebooting and adding it in manually, but still not working.

    Has anyone seen this problem before? When I installed it in a lab, it worked. I did used SHA-256 for the root and issuing ca hash algorithm that time, but went for SHA1 this time since some devices we are using do not support sha256.

    Any help getting this working would be much appreciated

    Thanks

     


    Jaz

    Wednesday, October 3, 2012 5:37 PM

Answers

  • 1) You have probably include the include include in issued certificates option (value 2) in the AIA entry. If you use the registry editor, ensure that the value is 32, not 34.

    2) To test OCSP, you cannot use a browser or IIS manager. You should validate a certificate issued with the OCSP URL in the AIA extension, and run certutil -url certfilename  This command will allow you to test download of all AIA, CDP extensions and to send a properly formatted OCSP request with the certificate's serial number included to the OCSP and validate the response.

    Brian

    • Marked as answer by JazK Friday, October 5, 2012 1:47 PM
    Friday, October 5, 2012 1:18 PM

All replies

  • Hi,

    I searched the internet and found below two threads, hope they will be helpful for you:

    Issues Implementing the Microsoft Online Responder

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/77bca9db-74ac-43b6-aae5-0ae2e8a6a265/

    OCSP problem

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/d06a07ae-9999-47de-af33-9304d82142f3

    OCSP good on 1 server, bad on another

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/1697857a-2c8e-4142-97c7-ca6cd0e13220

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Yan Li

    TechNet Community Support

    Thursday, October 4, 2012 5:20 AM
  • Hi,

    I have already seen some of these posts before, but they didn't help. I don't have require strong password protection enabled.

    I have removed antivirus and moved the server to the computers ou just in case there was a problem with server hardening. I have uninstalled and reinstalled the ocsp role many times and rebooted, but still no good.

    In the first post url above, it says to create an ocsp.inf file and run a certutil command. Do I run this test from the issuing server which is also the ocsp server?The first forum post above was never resolved though

    Are there any other logs I can check? The OCSP Response Signing certificate just sits in the Cetificate Templates folder, when should it move to issued Certificates? Is this once the OSCP Revocation Checking has completed successfully?

    Before adding the ocsp, pkiview says OK to all the other revocation methods.


    Jaz


    • Edited by JazK Thursday, October 4, 2012 8:42 PM
    Thursday, October 4, 2012 5:42 PM
  • Hi,

    My problem with OCSP configuration was the security setting - system cryptography: force strong key protection for User keys. I set this to disabled and then ocsp shows as working and the signing certificate is ok.

    The problem I now have is by using pkiview, the AIA Location for the ocsp path is showing as Unable to Download

    Also if I load IIS Manager, select the ocsp website and select Basic Settings, then select the Test Settings button, I get the message "There was an error while performing this operation" Details: Invalid application path.    However, the path is the default one for ocsp and it does exist on the c: drive

    Any Ideas?


    Jaz


    • Edited by JazK Friday, October 5, 2012 8:37 AM
    Friday, October 5, 2012 8:30 AM
  • 1) You have probably include the include include in issued certificates option (value 2) in the AIA entry. If you use the registry editor, ensure that the value is 32, not 34.

    2) To test OCSP, you cannot use a browser or IIS manager. You should validate a certificate issued with the OCSP URL in the AIA extension, and run certutil -url certfilename  This command will allow you to test download of all AIA, CDP extensions and to send a properly formatted OCSP request with the certificate's serial number included to the OCSP and validate the response.

    Brian

    • Marked as answer by JazK Friday, October 5, 2012 1:47 PM
    Friday, October 5, 2012 1:18 PM