Microsoft OCSP Responder configuration cannot retrieve signing cert template

I have a problem setting up the Microsoft Online Certificate Status Protocol responder.  In the MMC > Online Responder Configuration snap-in, I choose Add Revocation Configuration.  In this wizard, I select "Existing Enterprise CA", then browse for my enterprise issuing CA, which is found.  On the next page of the wizard, for the OCSP signing cert,  I select "Automatically select signing certificate" and "Auto-enroll" and then browse to the same issuing CA as before, which is found.  I then get this pop-up error:

A template required to obtain an OCSP signing certificate could not be retrieved. .... Element not found. Exception from HRESULT: 0x80070490.  

I DID configure the OCSP signing template in my issuing CA.  And, if I go into the Certificates snap-in and choose "Request a new certificate" on the OCSP responder machine, I see that template and I am able to successfully request a certificate and have it issued by the auto-enrollment mechanism.

So, what am I missing?  Why is the Responder Configuration wizard unable to fetch the template?

BTW, this is a test setup - I am trying to put together a step-by-step procedure to configure a new PKI infrastructure for my organization and I'm on my third run-through.  On the first two passes this was working.  (But every time wipe out everything and start over, so I missed a step or changed something this time.)

The OCSP responder is running on Win2012R2 Std, the issuing CA is on Win2016 Std, and all the other machines in the test network are running Win2012R2 Std.
Chris SmithDirector of IT & OperationsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

before you request certificate, did you issued template in certificate authority console ?
Open the Certification Authority console, right-click the Certificate Templates container, click New, then click Certificate Template to Issue and Select the OCSP Response Signing certificate template
Now cert should be listed as available certificate template and your request should be successful.
Chris SmithDirector of IT & OperationsAuthor Commented:
Yes ... re: my third paragraph.
either try installing CA on 2012 r2 machine or install OCSP also on 2016 server and then try, I suspect this issue is causing because of OS difference and most importantly, I feel 2016 server OS is still unstable
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Chris SmithDirector of IT & OperationsAuthor Commented:
I did manage to get this "working".  The user requesting the OCSP signing certificate through the Revocation Configuration wizard needs to have not only the Enroll permission but also Autoenroll.  Autoenrollment needs to be enabled in Group Policy ... I'm assuming for computer accounts.  And the Revocation Configuration doesn't seem to want to recognize a duplicate of the default OCSP signing template - I had to modify the original.  And you have to make sure that template, under Issuance Requirements, has both manager approval and signatures disabled. Finally, if you tried to set up the Revocation Configuration once and failed, there may be a CA Exchange certificate on the CA machine that will need to be revoked ... I'm not yet clear on what this certificate is for and how it gets generated, but according to some references I found it can block the OCSP Signing certificate autoenrollment process.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
you can duplicate existing OCSP signing certificate template and grant computer hosting OCSP enroll permission on that template and then use manual process instead of auto enrollment
autoenroll permission is not mandatory
instead of selecting autoenroll in revocation wizard, you can manually choose certificate template
Chris SmithDirector of IT & OperationsAuthor Commented:
Well, I could not get a duplicate to be "browsable" within the Responder Configuration wizard.  

I found there is a similar problem with the EFS Basic template ... you can use a duplicate template, but if the default EFS Basic template isn't published then the Group Policy Mgmt Editor throws an error when you try to browse for a different template.

You are right, autoenroll is not mandatory, but it appears to me that the Responder Configuration wizard is using the autoenroll process to automatically get the signing cert.  Also, the default renewal period on the OCSP Signing template is pretty short (a few weeks?), so I suppose if you don't have autoenroll setup you will either have a to increase that or perform a lot of manual renewal operations, no?
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

-- Chris Smith (https:#a42466560)
-- Mahesh (https:#a42466595)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Public Key Infrastructure (PKI)

From novice to tech pro — start learning today.