Hi, Have done a fair bit of testing with Windows Server 2008 RC0 Certificate Services, including using the in-built OCSP responder. As it currently stands, the OCSP responder does not interact properly with all recent versions of Cisco IOS. When the router uses OCSP to check another router's certificate, AND the OCSP server returns a response of "successful", the router rejects the response due to invalid BER encoding. I raised a message with the Cisco TAC and they say it's because the id-pkix-ocsp-nocheck extension in the OCSP responder's certificate is set to a zero-length value. According to the RFC it should actually be set to the ASN1 value of NULL. Anyway, just wondering if anyone else has experienced this problem? Does anyone know if it's possible to modify the value of the nocheck extension, or if it's possible to remove it? Thanks. PAUL G.

Paul, I have reported this to the development team responsible for our OCSP component and they are looking into it. In the meantime you can remove the extension using the following procedure: Certutil setreg policy\DisableExtensionList +1.3.6.1.5.5.7.48.1.5 Net stop certsvc & net start certsvc Thanks, -Steve

Hi Steve,Thought I would update you about this problem.I am now using the RTM version of Windows Server 2008 Enterprise and am running the latest versions of Cisco IOS.The above problem is still occurring.Also, if I disable the extension as you suggested above, it causes problems on the Cisco routers.Has there been any word from the development team on this issue? Is there any patch available for Windows 2008 that will fix this behaviour, or at least allow the value of the id-pkix-ocsp-nocheck extension to be modified?Thanks.PAUL G.

FYI, for anyone who is experiencing this same problem, Microsoft has finally released a hotfix for it:http://support.microsoft.com/kb/960549Apply this hotfix to the CA that issues the signing certificate to the OCSP responder. I have tested it and it works.Regards,PAUL G.