Hi all, I tried to install the OCSP Responder today, everything seemed to work, the OCSP MMC-SnapIn shows all the responders are working quite fine but the Enterprise PKI Tool shows both of the responders which are configured as an array being erroneous. When I try to resolve the urls which are included in a certificate issued by a CA configured to include the ocsp-urls intheAIA-extension by using certutil -url <certfile>.cer everything looks just fine, the urls can be verified. Anybody has a suggestion how I can test whether my ocsp responders are working or not? I tried using certutil -verify and revoked a certificate but I think there is a caching problem or something because the certificate still seemed to be valid after publishing an new CRL and updating the responder configuration. I cleared the urlcache on the client machine using certutil -urlcache * delete. Greets Martin Klenk

Your last exchange cert might not be having the OCSP URI hence, PKIView fails to get OCSP Response and hence, it shows the error. certutil -url is fine to judge whether OCSP is working or not.

How can this issue be fixed?The CertUtil shows us that the OCSP Service is working.How do we get the Enterprise PKView to show a green chechmark?Thanks for the help

PKIView uses the latest CA Exchange certificate. You can go to the CA, delete the CA Exchange certificate from the local machine store (used to protect archived private keys during cert issuance). Then restart Certificate Serivces. This will request a new CA Exchange certificate with the corrected OCSP URL information.Then try running PKIView again.But, as stated, I would use certutil to get the "best" answer on how is my configuration.Certutil -verify -urlfetch "certfile.cer" will check *every* CDP and AIA URL (including OCSP) and tell you how they are all doing *at that specific instance in time" since it goes to the URLs immediately.Brian

I met the same problem as you guys, even i have configured both option for the OCSP URI in AIA properties.and renewed the CA Exchange certificate, there are still errors in PKIView.msc.Seems that PKIView.msc always attempts to retrieve a complete copy of the .CRT file instead of using the OCSP protocol to probe the OCSP service.I can't find any additional resources for this problem right now, few search engines points to this post..any gentlemen in MSFT could answer me this question???

Hi All, AIA extension on the certificate issued by an online CA shows:[2]Authority Info AccessAccess Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) Alternative Name:URL=http://ocsp.pki.slb.com/ocsp But this URL does not shows up either in PKIView nor when I ranCertutil -verify -urlfetch "certfile.cer". Any suggestion. Thanks chinwalaResolution:OCSPlocation is only visable when you run PKIView or certutil commandthrough Window Vista or from Window 2008 server.

Has anyone determined how to resolve the PKIVIEW error relating to the OCSP URL? Everything else checks out fine (certutil -url cert.cer) etc etc.I am sure this is by design, but I would like to have a "clean" administrator view of the authority hierarchy.Thanks,Keenan

Ali Chinwala said: chinwalaResolution:OCSPlocation is only visable when you run PKIView or certutil commandthrough Window Vista or from Window 2008 server. You are correct that the OCSP location shows up in Vista and 2008, but PKIView still errors.... Viewing PKIView in Vista or 2008 doesnot resolve the issue.

"PKIView uses the latest CA Exchange certificate. You can go to the CA, delete the CA Exchange certificate from the local machine store (used to protect archived private keys during cert issuance). Then restart Certificate Serivces. This will request a new CA Exchange certificate with the corrected OCSP URL information."This fixes the issue! You need to revoke (not delete) the CA Exchange certificate that you see in the CA's list of issued certificates. Once you restart the service it rebuilds the proper cert for this.

"PKIView uses the latest CA Exchange certificate. You can go to the CA, delete the CA Exchange certificate from the local machine store (used to protect archived private keys during cert issuance). Then restart Certificate Serivces. This will request a new CA Exchange certificate with the corrected OCSP URL information." This fixes the issue! You need to revoke (not delete) the CA Exchange certificate that you see in the CA's list of issued certificates. Once you restart the service it rebuilds the proper cert for this. I can confirm this fixes the problem. Revoke the CAExchange certificate, re-start Certificate Services and give it a minute to test it. I would suggest the reason for the failure is that "PKIView" is using the CDP and AIA fields included in the CAExchange certificate as the means of verifying whether the AIA, CDP, and OCSP locations are working. If there is a mismatch between what the PKI configuration says and what the CAExchange certificate says, then it gives the error. In comparison, running "certutil -url" on a manually defined certificate at a command prompt may not show the problem because that certificate might already include the updated OCSP URLs.

Hi, I can also confirmed this fixed my ocsp error. J

I had same issue and corrected it. First I correctly configured Online Responder (http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx) and then I revoked certificate wich template is CA Exchange (CAExchange) from computer on wich I start PKI View. To test is Online Responder well configured I used a command: Certutil -verify -urlfetch 1.cer where 1.cer is certificate wich created after Online Responded was configured.

I revoked the certificate for the CA Exchange and restarted the service as outlined above. I do now see the OCSP Location in PKIView and it has a status of OK but I still have the original AIA Location with the http://hostname/ocsp link showing a status of "Unable to Download". Is everyone getting this AIA Location error as well?

I figured out my issue. I had the "Include in the AIA extension of issued certificates" option selected on the ocsp location when it should have only had the "Include in the online certificate status protocol (OCSP) extension." option selected. I removed that option, restarted the CA Service, revoked the CA Exchange Cert once more, restarted CA Service, and all is well now.