Microsoft OCSP Responder configuration cannot retrieve signing cert template
I have a problem setting up the Microsoft Online Certificate Status Protocol responder. In the MMC > Online Responder Configuration snap-in, I choose Add Revocation Configuration. In this wizard, I select "Existing Enterprise CA", then browse for my enterprise issuing CA, which is found. On the next page of the wizard, for the OCSP signing cert, I select "Automatically select signing certificate" and "Auto-enroll" and then browse to the same issuing CA as before, which is found. I then get this pop-up error:
A template required to obtain an OCSP signing certificate could not be retrieved. .... Element not found. Exception from HRESULT: 0x80070490.
I DID configure the OCSP signing template in my issuing CA. And, if I go into the Certificates snap-in and choose "Request a new certificate" on the OCSP responder machine, I see that template and I am able to successfully request a certificate and have it issued by the auto-enrollment mechanism.
So, what am I missing? Why is the Responder Configuration wizard unable to fetch the template?
BTW, this is a test setup - I am trying to put together a step-by-step procedure to configure a new PKI infrastructure for my organization and I'm on my third run-through. On the first two passes this was working. (But every time wipe out everything and start over, so I missed a step or changed something this time.)
The OCSP responder is running on Win2012R2 Std, the issuing CA is on Win2016 Std, and all the other machines in the test network are running Win2012R2 Std.
A template required to obtain an OCSP signing certificate could not be retrieved. .... Element not found. Exception from HRESULT: 0x80070490.
I DID configure the OCSP signing template in my issuing CA. And, if I go into the Certificates snap-in and choose "Request a new certificate" on the OCSP responder machine, I see that template and I am able to successfully request a certificate and have it issued by the auto-enrollment mechanism.
So, what am I missing? Why is the Responder Configuration wizard unable to fetch the template?
BTW, this is a test setup - I am trying to put together a step-by-step procedure to configure a new PKI infrastructure for my organization and I'm on my third run-through. On the first two passes this was working. (But every time wipe out everything and start over, so I missed a step or changed something this time.)
The OCSP responder is running on Win2012R2 Std, the issuing CA is on Win2016 Std, and all the other machines in the test network are running Win2012R2 Std.
ASKER
Yes ... re: my third paragraph.
either try installing CA on 2012 r2 machine or install OCSP also on 2016 server and then try, I suspect this issue is causing because of OS difference and most importantly, I feel 2016 server OS is still unstable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, I could not get a duplicate to be "browsable" within the Responder Configuration wizard.
I found there is a similar problem with the EFS Basic template ... you can use a duplicate template, but if the default EFS Basic template isn't published then the Group Policy Mgmt Editor throws an error when you try to browse for a different template.
You are right, autoenroll is not mandatory, but it appears to me that the Responder Configuration wizard is using the autoenroll process to automatically get the signing cert. Also, the default renewal period on the OCSP Signing template is pretty short (a few weeks?), so I suppose if you don't have autoenroll setup you will either have a to increase that or perform a lot of manual renewal operations, no?
I found there is a similar problem with the EFS Basic template ... you can use a duplicate template, but if the default EFS Basic template isn't published then the Group Policy Mgmt Editor throws an error when you try to browse for a different template.
You are right, autoenroll is not mandatory, but it appears to me that the Responder Configuration wizard is using the autoenroll process to automatically get the signing cert. Also, the default renewal period on the OCSP Signing template is pretty short (a few weeks?), so I suppose if you don't have autoenroll setup you will either have a to increase that or perform a lot of manual renewal operations, no?
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- Chris Smith (https:#a42466560)
-- Mahesh (https:#a42466595)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- Chris Smith (https:#a42466560)
-- Mahesh (https:#a42466595)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
Open the Certification Authority console, right-click the Certificate Templates container, click New, then click Certificate Template to Issue and Select the OCSP Response Signing certificate template
Now cert should be listed as available certificate template and your request should be successful.