I was asked to move my post - hope it saves you the headaches of having to go through the arguments I have with my security guys....
Issue:
Anyone had any issues with ocsp verification with Microsoft CA running on 2012? I have removed nonces as a requirement and validated ocsp with certutil from a windows workstation using the client certificate that i exported off the laptop and it checks out OK. Interestingly enough the ocsp check when done from a Linux machine (not cppm) fails and the ocsp call using openssl is totally different to the oscp call from certutil on windows (seems to reference a Microsoft cryptoAPI) I have a tac raised and will post the solution when we get one but wondered if anyone could give us a head start? BTW all roots and intermediates are present and eaptls works fine providing I disable ocsp verification within the authentication method under the configured service. Many thanks.
The fix:
Just in case anyone gets caught out on this who have done a recent installtion of PKI:
http://technet.microsoft.com/en-us/library/cc770945.aspx
By allowing "Enable NONCE extensions support" you allow an OCSP check to get processed properly. Keep the nonce option enabled on 6.2 CPPM.
Note now my linux systems can do a OCSP check successfully - I guess at CPPMs heart lies a linux server, as most of the stuff is nowadays.
I have more detail I can post up if anyone wants me to, regarding the certutil OCSP validatoin check the MicrosoftCryptoAPI and the openssl method fi you want.
Hope it saves you guys some time if you end up in the same boat.
To be absolutely crystal clear - nonce support needs to be enabled on the Microsoft CA server