Hi, Can anyone explain how can I enroll for an OCSP Response Signing certificate from standalone 2008 ca? I enabled following option: certutil -v -setreg policy\editflags +EDITF_ENABLEOCSPREVNOCHECK Created the request by using following .inf file: [NewRequest] Subject = "CN=testca,O=Contoso,OU=nt" PrivateKeyArchive = FALSE Exportable = TRUE UserProtected = FALSE MachineKeySet = TRUE ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" UseExistingKeySet = FALSE RequestType = PKCS10 [EnhancedKeyUsageExtension] object identifer="1.3.6.1.5.5.7.3.9" [Extensions] 1.3.6.1.5.5.7.48.1.5 = Empty But it seems that requested certificate is not valid for the purpose I want it to use:( I can't select this certificate for my responder to use:(What am I missing? Thanks.

HI,Before we go further, please help to collect the following information for research.1. Could anyone else enroll for an OCSP Response Signing certificate from the same CA? Also, could you get other certificates manually or automatically?2. If there is any error, please let us know the detailed error message. If no error, please let us know what has happened. 3. If youre the CA Admin, please check the CA settings according to the following article:Configure a CA to Support OCSP Responders http://technet.microsoft.com/en-us/library/cc732526.aspxThanks

Hi,1. This is brand new STANDALONE issuing CA. I'm trying to set up it to issue OCSP certificates, so the answer to this question is no.2. There are no errors during request. I only noticed one thing. When I tried to issue following command:certreq.exe Submit ocsp.req ocsp.cerI didn't see any oscp.cer created on local disk. But I could see new request on CA.There is one more additional thing.When I tried to view request's attributes/extensions through CA mmc snapin I saw the following: OSCP No Revocation Checking: Origin --> request, critical --> no, enabled --> no. I have doubts about this: enabled --> no.3. I've tried to setup my CA using following article:http://technet.microsoft.com/en-us/library/cc770413.aspxI think that your link is an excerp from it.And I wanted to note one thing again. My CA is STANDALONE, not the enterprise one.

The reason that the certificate is not issued is that you have the default (and recommended) configuration for a standalone CA. All requests are pended until the certificate is approved.When you submit the request, and later approve it in the CA, inspect the certificate at that time.You can then run certreq -retrieve # ocsp.cer (where # is the number of the request of the issued certificate.Also, why are you not using an enterprise CA? Just wondering, now suggesting that you should (at this point)Brian

We're not using enterprise CA for several reasons. CA is in separate network without any links with any domain. Besides we need to issue certificates only for external users and not for some kind of our domain ones.Article I mentioned earlier clearly states that it is possible toissue required certificatesusing standalone CA. So I wanted to know why this is not working for me:) Why can't I issue correct certificate?

Hi,Based on my test, this issue was caused by incorrect syntax. Please change [EnhancedKeyUsageExtension] object identifer="1.3.6.1.5.5.7.3.9"TO[EnhancedKeyUsageExtension] OID="1.3.6.1.5.5.7.3.9"I have added a comment to the following guide. Online Responder Installation, Configuration, and Troubleshooting Guidehttp://technet.microsoft.com/en-us/library/cc770413.aspx Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks Mervyn:) Everything started to work as expected:) One more question:) Is it possible to put the following oid "0.9.2342.19200300.100.1.1" in the certificate subject which was issued by 2003 CA? This oid is a part of RFC standard. But I was not able to find any way to put it in the certificate subject:(

Hi,You should be able to use the following Subject in the certificate. Subject = "CN=0.9.2342.19200300.100.1.1" Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi, No I do not want to use this oid in CN= I want to form the following subject: 0.9.2342.19200300.100.1.1 = D413B29E8E842B5EE0330AC103052B5ECN = Mervyn ZhangOU = ITDO = MicrosoftC = US As I know this oid is named as guid but I don't know how can I force it to appear in certificate's subject:/ We have no problems with Baltimore CA doing such a thing, but with Microsoft CA we have these problems:( As I know this oid is in RFC.

Hi, As far as I know, we cannot use this kind of subject name in Windows CA. Sorry for the inconvenience this has brought. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.