Problem with OCSP
Juan
I tryed to set up OCSP, directly installed on the Online Enterprise SubCA. I
followed all wizards without making big changes. - Default settings.
I added the OCSP path with certutil -setreg CA\CACertPublicationURLs
"...\n34:http://sername.domainname.com/ocsp" and it is now displayed when I
run pkiview.msc, but with Error!
I can see the URL of the OCSP in the AIA Location (Unable to download) and
in the OCSP Location (Error).
I don't know why. Do I have to create a virtual directory in the IIS and
place the CRTs and CRLs which I published to the webservers, too?
Many thanks in advance
Juan
Dagmar
I have got exactly the same issue, although I set up the whole test
environment following the MS whitepaper for more than one time and also
installed a new exchange certificate. I found some positings concerning this
problem, all unanswered.
Does anybody have an idea?
Kind regards,
Dagmar
Dagmar
I did some testings. As recommended by MS I removed any entry from the CDP
extension of the CA and issued a certificate. Consequently, the certificate
does not contain any CDP entry. In this scenario, Vista checks the OCSP path
(I sniffed it and I used certutil -urlcache -v. This works fine, although
pkiview.msc still shows an invalid ocsp path.
In contrast to the information I found in the whitepaper, if there is a CRL
in the path, no OCSP check is performed at all! This doesn't make sense.
Kind regards,
Dagmar
Juan
I solved my problem with fixing the "certutil -setreg" command I used.
certutil -setreg CA\CACertPublicationURLs
"1:%windir%\system32\CertSrv\CertEnroll\DEWIAS071.adswork.loc_InterneSubCA.crt\n32:http://DEWIAS071.adswork.loc/ocsp"
Before it was \n34 which procduced an additional entry in the AIA section of
pkiview.msc. Now I only have the URL in the OCSP section of pkiview.msc. -
And everything is green ;-)
Kind regards
Juan
Dagmar
thank you for the hint although this not the solution I expected ;-)
Any other suggestions?