Hello,I have CS running on Win2008 R2.I have enabled AIA http location to be included in OCSP extension of certificates, which added a new OCSP location to PKIView. However, it fails with "error". When tracing with IIS, it shows that it attempts to retrieve url twice, and both times it fails:1. First time it attempts to retrieve URL using GET method, but instead of only getting the url, it appends /<base64encodedbinarydata>, and thus fails with 4042. Second time it attempts to retrieve url using POST method, this time correct url, but post method is not allowed on /CertEntroll, and thus fails with 405What is going on here? Why does it append some kind of binary data to url?

You need to look in the OCSP Responder Management console.1) When you look at the revocation configuration, does it report an OK status2) Can you Refresh the revocation information.3) Sometimes, I have found that generating a new CA Exchange certificate works (at the CA, run certutil -cainfo xchg)

I got it working. I think it was caused by ocsp virtual directory in iis requiring SSL, and me only adding http link to aia. But now I have another issue - I generated two useless CA certificates during debugging. Now I have loads of files in CertEnroll dir. How do I delete unneeded CA certificates?

Thanks for posting a follow up, I have a similar issue but it states AIA location unable to download and also get a page 500 error with the OCSP virtual folder empty. I will see if I can get it working with this extra bit of information.

AIA might also fail because of SSL requirement..

You cannot use SSL to protect:1) HTTP or LDAP URLS in the CDP extension2) HTTP or LDAP URLs in the AIA extension3) OCSP Responder URLsBrian

Yea, I was just saying that some of services you can have on your CA server might set default IIS website to require SSL, and thus make CDP/AIA/OCSP urls fail :)

> Yea, I was just saying that some of services you can have on your CA server might set default IIS website to require SSL, and thus make CDP/AIA/OCSP urls failthis is why I always reate separate web sites for PKI stuff: one for CRL/CRT files, second for OCSP responder (or combine OCSP with CRL/CRT) and third for CEP/CES services. Usually services enable HTTPS requirement for default web site (you should avoid to use Default web site).http://www.sysadmins.lv

Whats the easiest way to move those PKI services to a separate website? Knowing that by default role mechanism creates them on default website :(

I do it manually (by editing applicationhost.config file). Unfortunately there is no standard mechanism to do it :(http://www.sysadmins.lv

Thanks for posting a follow up, I have a similar issue but it states AIA location unable to download and also get a page 500 error with the OCSP virtual folder empty. I will see if I can get it working with this extra bit of information. David,Did you ever figure out why the OCSP virtual folder is empty? I am having the same issue and pulling my hair out over it. I've triple-checked my config, uninstalled/reinstalled OCSP a bunch of times... can't figure it out.SSL is not required in IIS. But that shouldn't matter anyway because the 500 error seems to be caused by the OCSP folder being blank/empty.Thanks,Frank

You cannot test OCSP by loading the URL in a browser (you will always get a 500 error)You need to test it by doing the following:1) export a certificate that has the OCSP url in the AIA extension2) at an Admin command prompt, run certutil -url CertFile.crt3) In the Retrieve box, select OCSP (from AIA) and then click Retrieve4) ensure that the Status is OK.This does a proper submission of an OCSP request and response from the responder.Brian

Frank,As Brian states on his followup you cannot simply download data or test the ocsp website, its just a OCSP protocol as far as I understand.In an earlier thread that I made Brian indicated me that you should NOT have AIA location included on the OCSP extensions contrary to some tutorials stating you to include them.Here is the link to the threadhttp://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/8655248d-ad89-4582-a93a-94452dd7cfaa

Hello all,Does anybody if there is any way to actually publish a CDP to an SSL site, I would like my client to access the CRL over SSL rather than HTTP. Can it be done or is this not in the nature of CRL?Many thanks

> Does anybody if there is any way to actually publish a CDP to an SSL siteyou don't want to do it. CRL's must be published to unsecured HTTP locations and never to SSL-secured locations.http://www.sysadmins.lv