Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, November 7, 2018 2:15 PM
I have a Server 2016 install, with OCSP and ADCS installed. I have been fighting with OCSP for about two months now, and cannot get it to show green in Enterprise PKI. I have tried everything in every forum I have found, including:
- Following the instructions in the "Windows Server 2008 PKI" book (we actually bought this book just because of this issue)
- Setting the AIA to http://internalname/ocsp
- DNS entry for the above works fine for http://internalname/CertEnroll
- Made sure NETWORK SERVICE is "full control" on OCSP template, and inside Responder configuration
- Added the CA's computer account in cert template per instructions
- Revoked the CA Exchange cert and re-generated
- Set the ca\UseDefinedCACertInRequest 1
- Tried the -vocsproot delete / -vocsproot
- Checkboxed "Include in the online certificate status protocol (OCSP) extension" in the CA properties > Extensions
- Tried box unchecked an checked "Include in the AIA extension of issued certificates": checkboxing this gives me another red X in Enterprise PKI of AIA Location "Unable to Download"
- Added "Everyone" to read permissions of "C:\Windows\systemdata\ocsp" itself in the File Explorer security tab
I exported a newly-made cert, and did a -verify -urlfetch on it, and I see:
Certificate OCSP
Failed "OCSP" Time: 0
Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)
The directory at "C:\Windows\systemdata\ocsp" is empty. The Online Responder config shows "Working" and green checkboxed. I looked through the Security Event log and saw no related errors, although I'm not exactly sure what event IDs I'm looking for.
All replies (5)
Friday, November 9, 2018 3:37 PM ✅Answered
I fixed it myself. The problem was in IIS, in two places:
system.webServer/security/requestFiltering for the OCSP app needs to have allowDoubleEscaping set as True
ISAPI and CGI Restrictions needed "C:\Windows\System32\ocspisapi.dll" and "allow extension path to execute" needs to be checked.
I would think that ocspisapi.dll would have been added during the Role setup, but...yeah.
Wednesday, November 7, 2018 4:23 PM
This is not CA or OCSP issue, it is web server issue. IIS can't resolve such website and/or application. You should verify if OCSP request is routed to correct IIS server, web site exists and is running. There might be firewall issue. Enable logs in IIS and check them if request reached IIS.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.
Wednesday, November 7, 2018 8:48 PM
IIS is showing that it is getting the requests in the logs:
2018-11-07 19:08:25 10.15.40.80 GET /ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRGUB/CXSUFffn3OV/WbxXSOCA2AQUzjFqwNeWNr0xIWMdJnEOWW0HBAwCEyMAAALd3BlDUOS5l48AAAAAAt0= - 80 - 10.15.40.131 Microsoft-CryptoAPI/10.0 - 404 2 64 0
2018-11-07 19:08:25 10.15.40.80 POST /ocsp - 80 - 10.15.40.131 Microsoft-CryptoAPI/10.0 - 404 2 1260 62
When browsing to the /ocsp I get an HTTP 404.2 error, "because of the ISAPI and CGI Restriction list settings on the Web server". I'm not sure just what .dll or .exe to add to the exclusion list; nor why I have to go mess with this at all...makes me think something else got messed up somewhere else and this never got set properly.
I also went into "system.webServer/security/requestFiltering" and set allowDoubleEscaping to False of the ocsp "Application", restarted IIS, still red.
Friday, November 9, 2018 9:16 AM
Hi,
Was your issue resolved?
If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If no, please reply and tell us the current situation in order to provide further help.
Best Regards,
Kallen
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, November 12, 2018 2:50 AM
Hi,
I am glad to hear that your issue was successfully resolved.
If there is anything else we can do for you, please feel free to post in the forum.
Best Regards,
Kallen
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].