Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, October 20, 2014 7:21 AM
Hello
I'm having issues with my PKI setup I've inherited
On one of the subordinate CA's I keep getting the following error message in the event logs
Event ID 17
For configuration 'Online responder', Online Responder revocation provider either has no CRL information or has stale CRL information.
I've confirmed that the CRL is correct in the CA setup (under extensions / AIA settings) as well as confirmed that the CRL and delta CRL is valid on the server hosting it
I've generated new CRLS from the Subordinate CA as well as the Root CA and copied them to this server as well - however I cannot get this error to go away
All replies (5)
Monday, October 20, 2014 7:28 AM
Hi,
Have you check the Revocation Provider Properties from ocsp.msc snap-in. Do you see there the Base CRL(s) and Delta CRL(s) (if you have any delta crl configured)?
Hope this helps.
Regards,
Calin
Tuesday, October 21, 2014 1:51 AM
Thanks Calin for the response
OCSP shows that there are CRL's and Delta CRL's configured - and I can confirm that the OR can browse to the locations via HTTP
I've tried generating new CRLs and Delta CRLs and uploading them to the web server however this has not solved the issue
How do I tell if a CRL or Delta CRL is valid or is stale as the error message suggests?
Tuesday, October 21, 2014 3:12 AM
I think I may have solved this
The OSCP - though configured with a CRL still had issues
What I ended up doing was re-doing the array configuration and removed the delta CRL location, leaving the standard CRL intact
After doing this and restarting the CA services and OR services, that error is no more and the enterprise PKI is showing all ok now
I'll replicate these steps in our staging environment and confirm
Tuesday, October 21, 2014 4:04 AM
I can confirm this across our 3 environments now
None of the OR's are configured with Delta CRLs now, and they are all working fine
As soon as one is configured with a delta CRL, it shows an error.
Given that this whole environment is non-production; there really isn't any requirement for Delta Crls as far as I can see
Tuesday, October 21, 2014 4:11 AM
Interesting to note that on one of the CA's I revoked a dozen old certificates and attempted to publish a new delta crl and the option to do so is grayed out
I think the error stemmed from an invalid delta crl being configured on the system
Any idea why the CA's wouldn't be generating delta crls? The option to do so is configured in the extensions already