Hello Everyone, i've seen this post lots of times but i still can't figure out what the heck is goin on with this ocsp configuration basically i have my windows 2003 Domain test.com 1 standalone Root CA on windows 2008 R2 2 enterprise CAs on windows 2008 R2 on each of those CA servers i installed an OCSP array member that i configured with one Revocation configuration for each CA i have. i used simple DNS round robin to access one or the other array member. everything seems to go on smoothly until i endup with PKI view below   and the certutil -url below  can anyone help please ? thanksHitch Bardawil

Can you give more details about your OCSP configuration, signing certificates and revocation config? /Hasain

Ensure that you did not make the mistake of selecting Include in the AIA of Issued Certificates: http://social.technet.microsoft.com/wiki/contents/articles/1587.active-directory-certificate-services-ad-cs-public-key-infrastructure-pki-frequently-asked-questions-faq.aspx#PKIViewOCSP

i made sure the checkbox was not selected during my configuration, but i still cannot solve this problem ... i turned on the CAPI logs and found those errors : CAPI2 event ID 11 and 41 with the below details RevocationResult The revocation function was unable to check revocation because the revocation server was offline. hope this help you figure out the damned problem :s Hitch Bardawil

hey guyz, just wanted to add somthing i just noticed, as i old you before my ocsp scenario involves two PKI servers : PKI 1: is for delivering technical certificates PKI 2: Is for user certificates I configured each of those servers as an OCSP Array. when i add the revocation configuration for my PKI 1 , everything is fine however when i add the revocation conviguration of the second PKI this is when everything stop working... Hitch Bardawil

I spoke with the product team PM and there are a couple of outstanding questions here: 1. What do you mean by "stop working"? 2. Are you saying that when you add the URL for OCSP on the second issuing CA that is when it stops showing up appropriately in PKI View?

Glad you got it working - strange issue. I have seen PKIView show that revocation wasn't working before, but everything was actually fine. I wouldn't have expected that you would get the other errors though. Anyways, that is good. I proposed your post as the answer, since it was essentially a try again fix. I did want to mention that the way you are setting this revocation up is a bit unexpected. Typically, people who are using OCSP have a large number of expected revocations. Since the CAs are used for issuing certificates, people typically separate the revocation role from the issuance role. Meaning that you would use a separate web server (or servers in your case) to run OCSP. This keeps the revocation lookup traffic off of the CA. This is also the same for CDP hosted on a Web server. As a matter of fact, you might choose to use the Web server hosting the CDP as the same one running OCSP. My guess is that you are just doing this in a lab for testing purposes right now. I am just mentioning this as as design item for a production implementation. Anyways, glad you got it working!

Hi Kurt, Just wanted to pipe in here. I agree with everything you have stated except " you might choose to use the Web server hosting the CDP as the same one running OCSP" This would not be one of my recommendations. Remember that the default behavior for Windows Vista and later clients is to first use OCSP for revocation checking, and if not available, fall back to CDP/AIA revocation checking. If you put the OCSP responder on the same servers hosting the CDP/AIA, you are setting up a single point of failure. If the server fails, then you cannot access both OCSP and CDP/AIA. Brian

Good point! Thanks for adding that bit of information for the design perspective.

Thanks Kurt. I hope I did not sound correcting, just wanted to add to the discussion ;-) Brian

thanks for the great advice guyz ! Hitch Bardawil

Hello Guys, sorry to bother you with the same issue again but i left the OCSP for a Few days and when i came back the PKI View Error is back :s any idea on the reason ??? thanks ! Hitch Bardawil

no ideas ? anyone ? :sHitch Bardawil