Hi All, So another post about the pesky error displayed next to the OCSP responder & already tried http://social.technet.microsoft.com/Forums/nl/winserversecurity/thread/d6e871e0-3687-4cb5-9591-c1459911f433 withand a few of the other links with no joy. Hopefully somebody could help with some clues - heres some additional details which I really hope helps the brains here: Windows 2008 R2 CA with OCSP responder on the same box (I know there could be an issue with DR but this no alternatives). Configured the Issuing CA with LoadDefaultTemplates=0 following a suggestion from Brian K on another related link to the ocsp problem to ensure no invalid certs were issued My AIA & CDP points are configured: note* Ive dropped some carriage returns in here to make the points easier to read CDP certutil -setreg CA\CRLPublicationURLs " 65:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\ n79:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\ n6:http://%%1/certificates/%%3%%8%%9.crl\ n6:http://pki.dpp/certificates/%%3%%8%%9.crl\n" AIA certutil -setreg CA\CACertPublicationURLs " 1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\ n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\ n6:http:// %%1/CertEnroll /%%1_%%3%%4.crt\ n6:http://pki.dpp/certificates/%%1_%%3%%4.crt\ n32:http://pki.dpp/ocsp\n" This was ran prior to the CA being brought On-Line again to ensure the exchange cert had the correct points PKIView all points are verified as OK except the OCSP which just displays Error Revoked the CA Exchange certificate still shows error, rebooted: showing error, certutil urlcach * delete: showing error Configured my OCSP Responder & Template as per Brian Ks Book & link http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx OCSP responder is working (green tick in responder config) Revoked the CA Exchange certificate STILL showing errors :( Generated a cert and did certutil verify ulrfetch cert.cer as per suggestions in other posts hopefully somebody could suggest something as I cannot see any obvious errors OCSP issue, Response Issuer: CN=PPEIssuecalV2 DC=Test DC=dpp Subject: CN=PPEIssueCA.test.dpp OU=XX O=xx L=xxxxxxx S=xx C=GB Cert Serial Number: XXXXX dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0X20000000) dwFlags= CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE ----------------- CERT_CHAIN_CONTEXT -------------------------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 22 hours 21 Mins, 27 seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 22 hours 21 Mins, 27 seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=PPEISSUECALV2,DC=Test,DC=dpp NotBefore: 10/05/2012 08:00 NotAfter: 10/05/2012 08:00 Subject: CN=PPEISSUECA.TEST.DPP,OU=XX, O=XX, L=xxx, L=Milton Keynes, S=xx C=GB Template: WebSSL Element. dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element. dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) -------------------- Certificate AIA -------------------------------- Verified Certificate (0) Time: 0 [0.0] ldap:///CN=PPEISSUECALV2,CN=AIA,CN=Public%Key%Services,CN=Services,Configuration,DC=TEST,DC=DPP?cACertificate?base?objectClass=certificationAuthority Verified Certificate (0) Time: 32 [1.0] http://PPEIssueCA.test.DPP/certificates/PPEISSUECA.TEST.DPP_PPEISSUECALV2.CRT Verified Certificate (0) Time: 32 [2.0] http://pki.DPP/certificates/PPEISSUECA.TEST.DPP_PPEISSUECALV2.CRT -------------------- Certificate CDP -------------------------------- Verified Base CRL (02) Time: 0 [0.0] ldap:///CN=PPEISSUECALV2, CN=PPEISSUECA,CN=CDP,CN=Public%Key%Services,CN=Services,Configuration,DC=TEST,DC=DPP?certificateRevocationList?base?objectClass=CRLDistrobutionPoint Verified Delta CRL (02) Time: 0 [0.0.0] ldap:///CN=PPEISSUECALV2, CN=PPEISSUECA,CN=CDP,CN=Public%Key%Services,CN=Services,Configuration,DC=TEST,DC=DPP?deltaRevocationList?base?objectClass=CRLDistrobutionPoint Verified Delta CRL (02) Time: 32 [0.0.1] http://PPEIssueCA.test.DPP/Certificates/PPEIssueCALV2+.crl Verified Delta CRL (02) Time: 32 [0.0.2] http://pki.DPP/Certificates/PPEIssueCALV2+.crl Verified Base CRL (02) Time: 32 [1.0] http://PPEIssueCA.test.DPP/Certificates/PPEIssueCALV2.crl Verified Delta CRL (02) Time: 0 [1.0.0] ldap:///CN=PPEISSUECALV2, CN=PPEISSUECA,CN=CDP,CN=Public%Key%Services,CN=Services,Configuration,DC=TEST,DC=DPP?deltaRevocationList?base?objectClass=CRLDistrobutionPoint Verified Delta CRL (02) Time: 32 [1.0.1] http://PPEIssueCA.test.DPP/Certificates/PPEIssueCALV2+.crl Verified Delta CRL (02) Time: 32 [1.0.1] http://pki.DPP/Certificates/PPEIssueCALV2+.crl Verified Base CRL (02) Time: 32 [2.0] http://pki.DPP/Certificates/PPEIssueCALV2.crl Verified Delta CRL (02) Time: 0 [2.0.0] ldap:///CN=PPEISSUECALV2, CN=PPEISSUECA,CN=CDP,CN=Public%Key%Services,CN=Services,Configuration,DC=TEST,DC=DPP?deltaRevocationList?base?objectClass=CRLDistrobutionPoint Verified Delta CRL (02) Time: 32 [2.0.1] http:// PPEIssueCA.test.DPP /Certificates/PPEIssueCALV2+.crl Verified Base CRL (02) Time: 32 [2.0.2] http://pki.DPP/Certificates/PPEIssueCALV2+.crl ----------------- Base CRL CDP ----------------------------- Ok Delta CRL (03) Time: 0 [0.0] ldap:///CN=PPEISSUECALV2, CN=PPEISSUECA,CN=CDP,CN=Public%Key%Services,CN=Services,Configuration,DC=TEST,DC=DPP?deltaRevocationList?base?objectClass=CRLDistrobutionPoint Ok Delta CRL (03) Time: 32 [2.0.1] http:// PPEIssueCA.test.DPP Certificates/PPEIssueCALV2+.crl Delta CRL (02) Time: 32 [2.0.1] http://pki.DPP/Certificates/PPEIssueCALV2+.crl ---------------------- Certificate OCSP ----------------------- Verified OCSP Time: 32 [0.0] http://pki.DPP/ocsp --------------------------------------------------------------------- CRL 02: ISSUER: CN=PPEISSUECALV2, DC=TEST,DC=DPP Delta CRL 03: ISSUER: CN=PPEISSUECALV2, DC=TEST,DC=DPP Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication CertContext[0][1]:dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=PPERootV2, DC=DPP NotBefore: 09/05/2012 11:00 NotAfter: 09/05/2012 11:00 Subject: CN=PPEISSUECALV2, DC=TEST, DC=DPP Serial: xxxxxx Template SubCA Element. dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element. dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) -------------------- Certificate AIA --------------------- Verified Certificate (0) Time: 32 [2.0] http://pki.DPP/certificates/PPRootCAV2.CRT -------------------- Certificate CDP --------------------- Verified Certificate (0) Time: 32 [2.0] http://pki.DPP/certificates/PPRootCAV2.CRL -------------------- Base CRL CDP --------------------- NO URLS None Time: 0 -------------------- Certificate OCSP --------------------- NO URLS None Time: 0 ----------------------------------------------------------------- CRL 02: Issuer: CN=PPERootCAV2, DC=DPP f0 ee fb 94 9e 9b e6 1c 31 3c d9 40 a6 fc 02 5b 8e 19 83 ee CertContext[0][1]:dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=PPERootV2, DC=DPP NotBefore: 09/05/2012 09:45 NotAfter: 09/05/2012 09:45 Subject: CN=PPERootCAV2, DC=DPP Serial: xxxxxx Element. dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (04x) Element. dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element. dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) -------------------- Certificate AIA --------------------- NO URLS None Time: 0 -------------------- Certificate CDP --------------------- NO URLS None Time: 0 -------------------- Certificate OCSP --------------------- NO URLS None Time: 0 --------------------------------------------------- Exclude Leaf cert: 42 18 e5 a4 fb 76 af ac c1 06 e8 09 5a 0f 9b c0 28 bb 5c Full chain: 75 c9 4c 10 12 f4 ba d3 db b6 a9 ba 45 fd 11 f9 3a 52 e5 b4 --------------------------------------------------- Verified Issuance Polices: None Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication Leaf certificate revocation check passed

Hi All, So another post about the pesky error displayed next to the OCSP responder & already tried http://social.technet.microsoft.com/Forums/nl/winserversecurity/thread/d6e871e0-3687-4cb5-9591-c1459911f433 withand a few of the other links with no joy. Hopefully somebody could help with som

Hi All, So another post about the pesky error displayed next to the OCSP responder & already tried http://social.technet.microsoft.com/Forums/nl/winserversecurity/thread/d6e871e0-3687-4cb5-9591-c1459911f433 withand a few of the other links with no joy. Hopefully somebody could help with some clues - heres some additional details which I really hope helps the brains here: Windows 2008 R2 CA with OCSP responder on the same box (I know there could be an issue with DR but this no alternatives). Configured the Issuing CA with LoadDefaultTemplates=0 following a suggestion from Brian K on another related link to the ocsp problem to ensure no invalid certs were issued My AIA & CDP points are configured: note* Ive dropped some carriage returns in here to make the points easier to read CDP <span style="font-size:10.0pt;line-height:115%;font-family:'Ta

OCSP is working fine ---------------------- Certificate OCSP ----------------------- Verified OCSP Time: 32 [0.0] http://pki.DPP/ocsp --------------------------------------------------------------------- To confirm, run certutil -url caexchange.cer Then click the AIA, CDP, and OCSP options and click retrieve. This will send an actual OCSP request for the certificate and determine if it receives a response. To be brutally honest, I never trust the status in PKIView.msc if it says Error. THis is the *only* command I trust Brian

I'll run the test 7:30 am UK. Once I've exported the xchange cert and ran the test I'll let you know what the reponse is :) - and again as always Brian thanks a million for a rapid reply. I "assume" if it all comes back as ok then its a matter of ignoring the pkiview, if not then work through the issues.

update:08:00 Ran PKIView - all points validate except OCSP as before Exported Exchange cert ran certutil -verify -urlfetch exchange.cer - all validate / no errors reported Ran certutil -url exchange.cer LDAP points Verify ok All http points fail with error retrieving URL: This operation returned because the timeout period expired. 08x00705b4 (Win32: 1460) very carefully copying the URL displayed on the report (missing out the [] ) opened up a web browser and the CRT, CRL and + CRL all pop up, Copied them from PKIView, paste in browser and again they appear no problem - confirming I can retrieve all from the browser done manually, the web site is set to anonymous authentication

14/05/12 update Changed the timeout from 15 seconds in certutil -url to 60 seconds. at 32 seconds all HTTP points come back as verified including OCSP and I can download the crt & CRL!!! So some follow up questions: in PKIView I "assume" its showing the red x still because its hitting a timeout before it reaches 32 seconds? if the time is reduced to say 20 seconds would pkiView come back with Valid? With regards to 32 seconds for returning the points. Certutil -url was run locally to the box, granted the points were FQDN so its going to the network... How can I reduce the time down from 32 seconds to something realistic? 32 seconds to go get a URL with zip in it seems a loooong time - I'm aware that 31 seconds will be it contacting the HTTP server, doing "stuff" and then 1 second to download the crt & CRL. So what can be done to reduce the 31 other seconds??? if I manually type the URL in the browser it reply's in a second or so seconds ... don't know if that's helpful help / pointers greatly appreciated