I have 2-tier hierarchy with 2 issuing SubCAs running Windows Server 2008 R2. Also I have separate web server that acts as OCSP responder. I have configured OCSP configurations for all CAs, except one SubCA. The problem is that OCSP Responder requests for a new signing certificate each 4 hours. I'm using default OCSP Response Signing template without any modifications. During OCSP Configuration creation I select required CA and template for reenrollment and assign required permissions on certificate private key (Read for Network Service). But OCSP send a new request for a OCSP signing cert each 4 hours. Please ask if you need additional info.http://en-us.sysadmins.lv

Hi, A new functionality, which is introduced in version 3 templates, allows the enrollment client to configure permissions for computer keys as part of the enrollment process to allow access for services running as Network Service. As long as a Windows Server 2008–based CA is used to issue a certificate based on the OCSP Response Signing template or a duplicate of that template, we don't need to configure manually on the Online Responder computer to allow the Online Responder service access to the private key. Regarding the issue, is there any error logged in the event viewer? You can refer to the "Troubleshooting the Online Responder" section of the following article: Online Responder Installation, Configuration, and Troubleshooting Guide http://technet.microsoft.com/en-us/library/cc770413(WS.10).aspx This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

no, nothing related in event viewer. I have checked this article, but there is nothing helpful.http://en-us.sysadmins.lv

Can be this causeddue of missing Certificate Template extension? Since this CA issues certs for external clients and the don't use autoenrollment we decided to not populate Certificate Template extension. currently we use custom signing cert based on custom V3 template (with 1 year validity period) and looks like it works. Certutil -url and certutil -verify -urlfetch don't display OCSP errors, but pkiview still show error for this OCSP location. http://en-us.sysadmins.lv

AFAIK autoenrollment process is based on certificate template extension (http://blogs.technet.com/b/pki/archive/2007/01/03/how-to-exclude-the-certificate-template-name-from-certificates-to-be-issued.aspx). If it is not present you cannot know if you have a certificate corresponding to specified template. However I'm not sure if autoenrollment is used when you are automatically enrolling a certificate for OCSP.

By design OCSP don't use autoenrollment and no Autoenroll permissions should (or must) be set on that template. By default OCSP renews expired certificate even autoenrollment is not enabled. But when you setup revocation configuration you specify template name (for enterprise CAs) and it looks like you're right, responder looks for a valid certificate based on selected template.http://en-us.sysadmins.lv

I usually just configure the OCSP template for autoenrollment and check that the OCSP server gets the new certificate. Then I just configure OCSP using the autoenrollment option. Regards Morten