Collection Rule for event with source OnlineResponder and ID 23

Summary

The status and functioning of the Microsoft Online Responder service has dependencies on numerous features and components, including the ability to access timely certificate revocation data, the validity of the certification authority (CA) certificate and chain, and overall system response and availability.

Resolutions

Enroll for a properly configured OCSP Response Signing certificate

In order to function, an Online Responder needs to have a valid OCSP Response Signing certificate.

If you are able to locate a valid OCSP Response Signing certificate in the appropriate Personal certificate store of the computer hosting the Online Responder, you can correct this problem by assigning the certificate to a revocation configuration and refreshing the revocation data.

However, if you do not have an OCSP Response Signing certificate, how you resolve problems with OCSP Response Signing certificates depends on whether certificate enrollment is configured to take place automatically or manually.

For revocation configurations using manual enrollment for signing certificates, do the following:

• If the OCSP Response Signing certificate does not exist, use the procedure in the "Manually enroll for an OCSP Response Signing certificate" section.

• Then, complete the procedure in the "Assign a certificate to a revocation configuration" section.

• Complete the procedure in the "Refresh revocation data" section.

For revocation configurations using automatic enrollment for signing certificates, enrollment should take place without user intervention. Therefore, if the certificate does not exist, enrollment is probably blocked for some reason. Check the event log for additional errors or warnings that may be related to this error. If no other information is available, take the following actions:

• Use the procedure in the "Confirm that a CA is accessible" section to confirm that the computer on which the Online Responder service is running can connect to a certification authority (CA). 

• Complete the procedure in the "Confirm that a certificate template is properly configured" section.

• Complete the procedure in the "Confirm that a certificate template is available to a CA" section.

• Complete the procedure in the "Refresh revocation data" section to ensure that the error does not reappear.

To perform these procedures, you must be a member of local Administrators on every computer hosting the Online Responder and have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Manually enroll for an OCSP Response Signing certificate

To manually enroll for an OCSP Response Signing certificate:

• Click Start, type mmc, and then press ENTER.

• If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

• On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

• Click Computer account, and click Next.

• Select the computer hosting the Online Responder, click Finish, and then click OK.

• Double-click Personal, and then double-click Certificates.

• Look for any certificates with the OCSP Signing Enhanced Key Usage (EKU) extension.

• If an OCSP Response Signing certificate cannot be found, or if the OCSP Response Signing certificate has expired and a new certificate has not been enrolled, enroll for a new certificate manually. To do this, right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Request Wizard.

• Use the wizard to complete the enrollment process, selecting the OCSP Response Signing template or another template configured to issue OCSP Response Signing certificates.  

• After the certificate has been issued, assign it to the revocation configuration by using the following procedure.

Assign a certificate to a revocation configuration

To assign a certificate to a revocation configuration:

• Click Start, point to Administrative Tools, and then click Online Responder.

• In the console tree, expand Array Configuration, and click the node for the computer on which the error was logged.

• Right-click the revocation configuration identified in the event log, and click Assign Signing Certificate.

• Select the certificate, and click OK.

• Click Revocation Configuration, and then right-click the revocation configuration.

• Click Edit properties, and click the Signing tab. Select the Automatically use renewed signing certificates check box if you do not want to reassign the signing certificate to the revocation configuration manually each time the signing certificate is renewed. If you do not want this assignment to be made automatically, do not select this check box.

• When you are finished, use the following procedure to ensure the error does not recur.

Refresh revocation data

To refresh revocation information for an Online Responder by using the Online Responder snap-in:

• Click Start, point to Administrative Tools, and then click Online Responder.

• Right-click Array Configuration, and click Refresh Revocation Data.

• Confirm that no additional errors are reported.

• Click the Online Responder node, and confirm that the revocation configuration is listed as Working.

• Under Array Configuration, select the Online Responder computer that logged the error, and then click the revocation configuration named in the error.

• Under the details pane, view the Revocation Configuration Status pane for the status of the signing certificate and the revocation provider.

• Confirm that no additional errors are reported.

Revocation configurations configured for automatic enrollment of signing certificates

The previous procedure assumes that the OCSP Response Signing certificate was configured for manual enrollment. If the OCSP Response Signing certificate template was configured for autoenrollment, you need to confirm that no other issues are blocking the renewal process.

To perform these procedures, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

Confirm that a CA is accessible

To confirm that a CA is accessible by a client:

• Open a command prompt window.

• Type certutil -ping -config<computer\user> and press ENTER.

Note:  If you use -config -, the operation is processed by using the default CA. You must specify the computer or user with permission to enroll for certificates from the CA when you use the -config option. Otherwise, the Select Certification Authority dialog box appears and displays a list of all CAs that are available.

Confirm that a certificate template is properly configured

To confirm that an OCSP Response Signing certificate template is properly configured:

• On the computer hosting the CA, click Start, type Certtmpl.msc, and press ENTER.

• Right-click the OCSP Response Signing template, and then click Properties.

• Click the Security tab.

• Under Group or user name, click Add.

• Click Object Types, select the Computers check box, and click OK.

• Type the name of or browse to select the computer hosting the Online Responder or Online Certificate Status Protocol (OCSP) responder services, and then click OK.

• In the Group or user names dialog box, click the computer name.

• In the Permissions dialog box, select the Read, Enroll, and Autoenroll check boxes, and then click OK. 

Confirm that a certificate template is available to a CA

To publish a certificate template:

• Click Start, point to Administrative Tools, and then click Certification Authority.

• In the console tree, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

• Select the certificate template, and click OK.