05-21-2015 05:24 AM
I'm trying to setup my controller to check certificate revocation from newly created Windows CA via OCSP. As I undestand controller is acting as a OCSP Client. I use revocation checking to check user sertificates for VIA users. OCSP server should be up and running. I'm using Microsoft recommended OCSPResponceSigning -certificate template to enroll for response signing sertificate on the CA server.
When revocation chencing takes place process log shows error message "certmgr: <118004> <ERRS> |certmgr| OCSP response verification failed."
What can cause this?
Other thing that I don't undertand in Revocation CheckPoing configuration is the "OCSP Responder Cert" that must be definet for a Revocation CheckPoint per CA. Documentation does not explain what this sertificate should be. I have tried to put many different certificates there (controllers server cert, CAs OCSP signing cert and CA cert) but I always get error message described above.
I'm running AOS version 220.127.116.11
Solved! Go to Solution.
05-22-2015 04:22 AM
It seems that this was an issue with the OCSP responder. I enabled NONCE extension. This did the trick. OCSP is now working. I think NONCE requirement should be mentioned in the documentation.