Microsoft OCSP Responder configuration cannot retrieve signing cert template

I have a problem setting up the Microsoft Online Certificate Status Protocol responder.  In the MMC > Online Responder Configuration snap-in, I choose Add Revocation Configuration.  In this wizard, I select "Existing Enterprise CA", then browse for my enterprise issuing CA, which is found.  On the next page of the wizard, for the OCSP signing cert,  I select "Automatically select signing certificate" and "Auto-enroll" and then browse to the same issuing CA as before, which is found.  I then get this pop-up error:

A template required to obtain an OCSP signing certificate could not be retrieved. .... Element not found. Exception from HRESULT: 0x80070490.  

I DID configure the OCSP signing template in my issuing CA.  And, if I go into the Certificates snap-in and choose "Request a new certificate" on the OCSP responder machine, I see that template and I am able to successfully request a certificate and have it issued by the auto-enrollment mechanism.

So, what am I missing?  Why is the Responder Configuration wizard unable to fetch the template?

BTW, this is a test setup - I am trying to put together a step-by-step procedure to configure a new PKI infrastructure for my organization and I'm on my third run-through.  On the first two passes this was working.  (But every time wipe out everything and start over, so I missed a step or changed something this time.)

The OCSP responder is running on Win2012R2 Std, the issuing CA is on Win2016 Std, and all the other machines in the test network are running Win2012R2 Std.
Chris SmithDirector of IT & OperationsAsked:
Who is Participating?
 
MaheshArchitectCommented:
before you request certificate, did you issued template in certificate authority console ?
Open the Certification Authority console, right-click the Certificate Templates container, click New, then click Certificate Template to Issue and Select the OCSP Response Signing certificate template
Now cert should be listed as available certificate template and your request should be successful.
0
 
Chris SmithDirector of IT & OperationsAuthor Commented:
Yes ... re: my third paragraph.
0
 
MaheshArchitectCommented:
either try installing CA on 2012 r2 machine or install OCSP also on 2016 server and then try, I suspect this issue is causing because of OS difference and most importantly, I feel 2016 server OS is still unstable
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Chris SmithDirector of IT & OperationsAuthor Commented:
I did manage to get this "working".  The user requesting the OCSP signing certificate through the Revocation Configuration wizard needs to have not only the Enroll permission but also Autoenroll.  Autoenrollment needs to be enabled in Group Policy ... I'm assuming for computer accounts.  And the Revocation Configuration doesn't seem to want to recognize a duplicate of the default OCSP signing template - I had to modify the original.  And you have to make sure that template, under Issuance Requirements, has both manager approval and signatures disabled. Finally, if you tried to set up the Revocation Configuration once and failed, there may be a CA Exchange certificate on the CA machine that will need to be revoked ... I'm not yet clear on what this certificate is for and how it gets generated, but according to some references I found it can block the OCSP Signing certificate autoenrollment process.
0
 
MaheshArchitectCommented:
you can duplicate existing OCSP signing certificate template and grant computer hosting OCSP enroll permission on that template and then use manual process instead of auto enrollment
autoenroll permission is not mandatory
instead of selecting autoenroll in revocation wizard, you can manually choose certificate template
0
 
Chris SmithDirector of IT & OperationsAuthor Commented:
Well, I could not get a duplicate to be "browsable" within the Responder Configuration wizard.  

I found there is a similar problem with the EFS Basic template ... you can use a duplicate template, but if the default EFS Basic template isn't published then the Group Policy Mgmt Editor throws an error when you try to browse for a different template.

You are right, autoenroll is not mandatory, but it appears to me that the Responder Configuration wizard is using the autoenroll process to automatically get the signing cert.  Also, the default renewal period on the OCSP Signing template is pretty short (a few weeks?), so I suppose if you don't have autoenroll setup you will either have a to increase that or perform a lot of manual renewal operations, no?
0
All Courses

From novice to tech pro — start learning today.