I am currently setting up a new internal Windows PKI infrastructure in our organisation, to replace an old setup.
Things are mostly fine, but the OCSP location has the status "Error" in the pkiview console. When I check a certificate with certutil (certutil -URL test-certificate.cer or certutil -urlfetch -verify test-certificate.cer) it shows up as verified. So the responder does seem to work.
Does anyone know why the error status might show up in pkiview? Or where to find relevant logs about this error?
Some more info about the setup:
- As you can see in the image, it's a two tier PKI with an offline root CA and a domain joined issuing CA.
- The AIA and CDP locations are located on two Ubuntu-based Nginx servers, with keepalived for HA purposes.
- A script on the Nginx servers fetches the new CRL from the issuing CA every 15 mins.
- The same two Ubuntu servers have a second Nginx server block, which runs a load balancer to direct ocsp requests to two ocsp responder servers. This way, the certificates can contain just one ocsp url, and clients do not have to wait for timeouts when one ocsp responder would be down.
When googling the problem I found that this might be due to a stale CA-Exchange certificate. But renewing that did not help.
Update
I tested this with Wireshark and when launching pkiview, no ocsp request is actually made. When running certutil -URL test-certificate.cer Wireshark clearly shows the ocsp request and response.
Best Answer
After some more searching I figured it out.
For the ocsp responder servers I used the same array as the old pki setup, since you can simply add multiple configurations to an array.
When these servers were set up, i followed this guide to get a nicer url for the ocsp location. (http://ocsp.domain.com instead of http://ocsp.domain.com/ocsp) This involved creating a new IIS site and editing an IIS config file.
This worked fine for clients in in the past, and still does. But seems to cause the error in pkiview. In the past, the ocsp location was not added to endpoint certificates. It was just used for one application that had the urls in it's config file. So it did not show up in pkiview.
When we reverted back to the standard IIS configuration and renewed the CAExchange certificate, the error went away.