Hello Everyone, i've seen this post lots of times but i still can't figure out what the heck is goin on with this ocsp configuration basically i have my windows 2003 Domain test.com 1 standalone Root CA on windows 2008 R2 2 enterprise CAs on windows 2008 R2 on each of those CA servers i installed an OCSP array member that i configured with one Revocation configuration for each CA i have. i used simple DNS round robin to access one or the other array member. everything seems to go on smoothly until i endup with PKI view below   and the certutil -url below  can anyone help please ? thanksHitch Bardawil

hello Kurt, thanks for your time, i kept on trying, and finally by just deleting both revocation rules and recreating them seems that the pkiview error disappears very weird since i have to do it a couple of times before it worked out... thanks you Hitch Bardawil

Glad you got it working - strange issue. I have seen PKIView show that revocation wasn't working before, but everything was actually fine. I wouldn't have expected that you would get the other errors though. Anyways, that is good. I proposed your post as the answer, since it was essentially a try again fix. I did want to mention that the way you are setting this revocation up is a bit unexpected. Typically, people who are using OCSP have a large number of expected revocations. Since the CAs are used for issuing certificates, people typically separate the revocation role from the issuance role. Meaning that you would use a separate web server (or servers in your case) to run OCSP. This keeps the revocation lookup traffic off of the CA. This is also the same for CDP hosted on a Web server. As a matter of fact, you might choose to use the Web server hosting the CDP as the same one running OCSP. My guess is that you are just doing this in a lab for testing purposes right now. I am just mentioning this as as design item for a production implementation. Anyways, glad you got it working!

Can you give more details about your OCSP configuration, signing certificates and revocation config? /Hasain

Hi Kurt, Just wanted to pipe in here. I agree with everything you have stated except " you might choose to use the Web server hosting the CDP as the same one running OCSP" This would not be one of my recommendations. Remember that the default behavior for Windows Vista and later clients is to first use OCSP for revocation checking, and if not available, fall back to CDP/AIA revocation checking. If you put the OCSP responder on the same servers hosting the CDP/AIA, you are setting up a single point of failure. If the server fails, then you cannot access both OCSP and CDP/AIA. Brian

Good point! Thanks for adding that bit of information for the design perspective.

Thanks Kurt. I hope I did not sound correcting, just wanted to add to the discussion ;-) Brian

I spoke with the product team PM and there are a couple of outstanding questions here: 1. What do you mean by "stop working"? 2. Are you saying that when you add the URL for OCSP on the second issuing CA that is when it stops showing up appropriately in PKI View?

Ensure that you did not make the mistake of selecting Include in the AIA of Issued Certificates: http://social.technet.microsoft.com/wiki/contents/articles/1587.active-directory-certificate-services-ad-cs-public-key-infrastructure-pki-frequently-asked-questions-faq.aspx#PKIViewOCSP

i made sure the checkbox was not selected during my configuration, but i still cannot solve this problem ... i turned on the CAPI logs and found those errors : CAPI2 event ID 11 and 41 with the below details RevocationResult The revocation function was unable to check revocation because the revocation server was offline. hope this help you figure out the damned problem :s Hitch Bardawil

hello Kurt, thanks for your time, i kept on trying, and finally by just deleting both revocation rules and recreating them seems that the pkiview error disappears very weird since i have to do it a couple of times before it worked out... thanks you Hitch Bardawil

Hello, thanks for helping, i have 2 enterprise subordinate PKIs on which i installed the OCSP ROLE so that i have a array member on each pki server i configured two Revocation configuration: one for each CA the revocation configuration is pretty standard: Browse the CA in Active Directoryautomatically select a signing certificateuse the default ocsp template in ad added the computer accounts to the ocsp template i basically followed the technet tutorial to the letter here is the certutil -verify - urlfetch result in case it might help Issuer: CN=AFD-PKI-Technique DC=dev DC=active Subject: CN=afd.dev.Active Cert Serial Number: 1cd8b3e6000100000010 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 1 Days, 3 Minutes, 3 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 1 Days, 3 Minutes, 3 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=AFD-PKI-Technique, DC=dev, DC=active NotBefore: 16/04/2012 14:57 NotAfter: 16/04/2014 14:57 Subject: CN=afd.dev.Active Serial: 1cd8b3e6000100000010 Template: AFD Web Server c7 40 0b d2 b7 50 00 d3 00 55 43 3a d8 b1 bb 75 ce a6 39 52 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Wrong Issuer "Certificate (0)" Time: 0 [0.0] ldap:///CN=AFD-PKI-Technique,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dev,DC=active?cACertificate?base?objectClass=certificationAuthority Verified "Certificate (1)" Time: 0 [0.1] ldap:///CN=AFD-PKI-Technique,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dev,DC=active?cACertificate?base?objectClass=certificationAuthority ---------------- Certificate CDP ---------------- Verified "Base CRL (0a)" Time: 0 [0.0] ldap:///CN=AFD-PKI-Technique(1),CN=FRPARDEV168,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dev,DC=active?certificateRevocationList?base?objectClass=cRLDistributionPoint ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- Unsuccessful "OCSP" Time: 0 [0.0] http://ocsp.dev.active/ocsp -------------------------------- CRL 0a: Issuer: CN=AFD-PKI-Technique, DC=dev, DC=active f4 ec d9 5e 60 36 4b 19 67 02 b4 66 36 e7 ba 5d 45 8f e7 19 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=AFD-ROOT-CA, DC=dev, DC=active NotBefore: 13/04/2012 17:45 NotAfter: 13/04/2032 14:50 Subject: CN=AFD-PKI-Technique, DC=dev, DC=active Serial: 18565f0c00000000000a Template: SubCA 39 9e dd 92 97 e7 30 32 18 33 11 1b d7 23 73 00 94 76 04 60 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 [0.0] ldap:///CN=AFD-ROOT-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dev,DC=active?cACertificate?base?objectClass=certificationAuthority ---------------- Certificate CDP ---------------- Verified "Base CRL (02)" Time: 0 [0.0] ldap:///CN=AFD-ROOT-CA,CN=FRPARDEV167,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dev,DC=active?certificateRevocationList?base?objectClass=cRLDistributionPoint ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- Verified "OCSP" Time: 0 [0.0] http://ocsp.dev.active/ocsp -------------------------------- CRL 02: Issuer: CN=AFD-ROOT-CA, DC=dev, DC=active d2 08 3a ac b5 57 b5 b3 eb 2d 91 83 f7 ca 24 fc 92 58 ea be CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=AFD-ROOT-CA, DC=dev, DC=active NotBefore: 13/04/2012 14:40 NotAfter: 13/04/2032 14:50 Subject: CN=AFD-ROOT-CA, DC=dev, DC=active Serial: 61da541b9714d3bb4d4dcc18ea7690af Template: CA 26 6e b3 04 3e 72 ad 18 82 77 0c a0 29 af 6c 7e 84 16 ef 4a Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: 51 1b 7d ba e2 57 c5 3c 9c a5 80 17 50 fa 6c 1d 47 6a bb fd Full chain: c2 50 c6 59 d3 04 2d 76 05 0e c8 f1 ba 67 ec 5b dc d3 56 b4 ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully. thanks Hitch Bardawil

hey guyz, just wanted to add somthing i just noticed, as i old you before my ocsp scenario involves two PKI servers : PKI 1: is for delivering technical certificates PKI 2: Is for user certificates I configured each of those servers as an OCSP Array. when i add the revocation configuration for my PKI 1 , everything is fine however when i add the revocation conviguration of the second PKI this is when everything stop working... Hitch Bardawil

thanks for the great advice guyz ! Hitch Bardawil

Hello Guys, sorry to bother you with the same issue again but i left the OCSP for a Few days and when i came back the PKI View Error is back :s any idea on the reason ??? thanks ! Hitch Bardawil

no ideas ? anyone ? :sHitch Bardawil